From ae6c0b279f0853c9f8e37cdea36d5a0f0e7dca93 Mon Sep 17 00:00:00 2001 From: marche271 Date: Tue, 2 Apr 2024 16:02:58 +0200 Subject: [PATCH 1/5] Update tests about federation --- ...metadata-authorization_endpoint-value.json | 39 + ...on response AA-metadata-logo_uri-type.json | 39 + ...sponse AA-metadata-op_policy_uri-type.json | 39 + ...on response AA-metadata-op_policy_uri.json | 39 + ...on response AA-metadata-resource-type.json | 39 + .../input/mig-t/tests/single/AA/All_AA.json | 436 +- .../mig-t/tests/single/AA/All_AA_Passive.json | 436 +- .../mig-t/tests/single/ALL_Session1.json | 21176 +++++++++------- .../input/mig-t/tests/single/OP/All_OP.json | 8038 +++--- .../mig-t/tests/single/OP/All_OP_Passive.json | 2354 +- ...esponse_iss_parameter_supported-value.json | 39 + ...tion_response_iss_parameter_supported.json | 39 + ...data-claims_parameter_supported-value.json | 39 + ...e-metadata-claims_parameter_supported.json | 39 + ...on response-metadata-claims_supported.json | 39 + ...nt_registration_types_supported-value.json | 41 + ...a-client_registration_types_supported.json | 39 + ...ation response-metadata-logo_uri-type.json | 2 +- ...uthentication_methods_supported-value.json | 39 + ...uest_authentication_methods_supported.json | 39 + ...ng_alg_values_supported-not_supported.json | 44 + ...igning_alg_values_supported-supported.json | 42 + ...tication_signing_alg_values_supported.json | 39 + ...ata-request_parameter_supported-value.json | 39 + ...-metadata-request_parameter_supported.json | 39 + ...endpoint_auth_methods_supported-value.json | 41 + ...token_endpoint_auth_methods_supported.json | 39 + ...ng_alg_values_supported-not_supported.json | 44 + ...igning_alg_values_supported-supported.json | 42 + ...int_auth_signing_alg_values_supported.json | 39 + .../input/mig-t/tests/single/PASSIVE.json | 13456 +++++----- .../input/mig-t/tests/single/RP/All_RP.json | 2802 +- .../mig-t/tests/single/RP/All_RP_Passive.json | 2140 +- ...tion response-metadata-client_id-type.json | 2 +- ...ion response-metadata-client_id-value.json | 39 + ...n response-metadata-grant_types-value.json | 39 + ...uration response-metadata-grant_types.json | 4 +- ...ation response-metadata-logo_uri-type.json | 2 +- ...response-metadata-redirect_uris-value.json | 39 + ...ation response-metadata-redirect_uris.json | 39 + ...ion response-metadata-signed_jwks_uri.json | 39 + .../input/mig-t/tests/single/SA/All_SA.json | 2552 +- .../mig-t/tests/single/SA/All_SA_Passive.json | 2552 +- ...on response SA-metadata-logo_uri-type.json | 39 + ... response SA OP-trust_mark-email-type.json | 46 + ...nt response SA OP-trust_mark-exp-type.json | 46 + ...nt response SA OP-trust_mark-iat-type.json | 46 + ... OP-trust_mark-organization_name-type.json | 46 + ...nt response SA OP-trust_mark-ref-type.json | 46 + ...nse SA OP-trust_mark-sa_profile-value.json | 46 + ... response SA OP-trust_mark-sa_profile.json | 46 + ... response SA RP-trust_mark-email-type.json | 46 + ...nt response SA RP-trust_mark-exp-type.json | 46 + ...atement response SA RP-trust_mark-iat.json | 10 +- ... RP-trust_mark-organization_name-type.json | 46 + ...nt response SA RP-trust_mark-ref-type.json | 46 + ...nse SA RP-trust_mark-sa_profile-value.json | 46 + ... response SA RP-trust_mark-sa_profile.json | 46 + .../input/mig-t/tests/single/TA/All_TA.json | 4436 ++-- .../mig-t/tests/single/TA/All_TA_Passive.json | 4450 ++-- ...on response TA-metadata-logo_uri-type.json | 39 + ... response TA OP-trust_mark-email-type.json | 46 + ...nt response TA OP-trust_mark-exp-type.json | 46 + ...nt response TA OP-trust_mark-iat-type.json | 46 + ...nt response TA OP-trust_mark-logo_uri.json | 17 +- ... OP-trust_mark-organization_name-type.json | 46 + ...nt response TA OP-trust_mark-ref-type.json | 46 + ... response TA RP-trust_mark-email-type.json | 46 + ...nt response TA RP-trust_mark-exp-type.json | 46 + ...nt response TA RP-trust_mark-iat-type.json | 46 + ...nt response TA RP-trust_mark-logo_uri.json | 17 +- ... RP-trust_mark-organization_name-type.json | 46 + ...nt response TA RP-trust_mark-ref-type.json | 46 + testplans/spid-cie-oidc/testplan.csv | 185 +- 74 files changed, 38680 insertions(+), 28674 deletions(-) create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-authorization_endpoint-value.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-logo_uri-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-resource-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported-value.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-claims_parameter_supported-value.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-claims_parameter_supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-claims_supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-client_registration_types_supported-value.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-client_registration_types_supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_methods_supported-value.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_methods_supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported-not_supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported-supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_parameter_supported-value.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_parameter_supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported-value.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-not_supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-client_id-value.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-grant_types-value.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-redirect_uris-value.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-redirect_uris.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-signed_jwks_uri.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response SA-metadata-logo_uri-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-email-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-exp-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-iat-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-organization_name-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-ref-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sa_profile-value.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sa_profile.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-email-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-exp-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-organization_name-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-ref-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sa_profile-value.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sa_profile.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-logo_uri-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-email-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-exp-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-iat-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-organization_name-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ref-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-email-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-exp-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-iat-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-organization_name-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ref-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-authorization_endpoint-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-authorization_endpoint-value.json new file mode 100644 index 0000000..a7eaef8 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-authorization_endpoint-value.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-logo_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-logo_uri-type.json new file mode 100644 index 0000000..2ddf72e --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-logo_uri-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri-type.json new file mode 100644 index 0000000..dbf4358 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri.json new file mode 100644 index 0000000..d275c12 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$..metadata.openid_provider.op_policy_uri", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-resource-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-resource-type.json new file mode 100644 index 0000000..9e6cff3 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-resource-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json index 2dd7ce8..32f39de 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the AA's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -16,11 +16,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } @@ -30,8 +37,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -39,11 +46,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -53,8 +67,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -70,8 +84,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.iat", + "is present": "true" } ] } @@ -83,8 +97,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -92,11 +106,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -106,20 +127,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -129,8 +157,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -141,13 +169,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata", + "is present": "true" } ] } @@ -159,8 +187,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -171,13 +199,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.sub", + "is present": "true" } ] } @@ -189,8 +217,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" @@ -201,13 +229,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$..metadata.openid_provider.op_policy_uri", + "is present": "true" } ] } @@ -219,8 +247,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -228,18 +256,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -249,8 +271,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does entity configuration AA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -266,8 +288,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -279,8 +301,54 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -291,13 +359,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" } ] } @@ -309,8 +377,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -326,8 +394,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" } ] } @@ -339,8 +407,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" @@ -356,8 +424,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -369,7 +437,7 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", + "name": "Does entity configuration contain a correct exp parameter", "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ @@ -386,8 +454,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -399,7 +467,7 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", + "name": "Does entity configuration contain a correct iat parameter", "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ @@ -416,8 +484,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -429,8 +497,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -446,8 +514,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -459,8 +527,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -471,13 +539,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -489,8 +557,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -501,13 +569,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -519,8 +587,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -531,13 +599,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" } ] } @@ -549,8 +617,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -561,18 +629,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" } ] } @@ -584,8 +647,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -596,18 +659,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -617,6 +675,52 @@ "result": "correct flow s1" } }, + { + "test": { + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, { "test": { "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", @@ -715,6 +819,76 @@ "result": "correct flow s1" } }, + { + "test": { + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, { "test": { "name": "Does the AA metadata contain the authorization_endpoint claim", @@ -1338,30 +1512,6 @@ ], "result": "correct flow s1" } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response AA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } } ] } \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json index 2dd7ce8..32f39de 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the AA's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -16,11 +16,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } @@ -30,8 +37,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -39,11 +46,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -53,8 +67,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -70,8 +84,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.iat", + "is present": "true" } ] } @@ -83,8 +97,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -92,11 +106,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -106,20 +127,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -129,8 +157,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -141,13 +169,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata", + "is present": "true" } ] } @@ -159,8 +187,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -171,13 +199,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.sub", + "is present": "true" } ] } @@ -189,8 +217,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" @@ -201,13 +229,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$..metadata.openid_provider.op_policy_uri", + "is present": "true" } ] } @@ -219,8 +247,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -228,18 +256,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -249,8 +271,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does entity configuration AA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -266,8 +288,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -279,8 +301,54 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -291,13 +359,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" } ] } @@ -309,8 +377,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -326,8 +394,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" } ] } @@ -339,8 +407,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" @@ -356,8 +424,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -369,7 +437,7 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", + "name": "Does entity configuration contain a correct exp parameter", "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ @@ -386,8 +454,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -399,7 +467,7 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", + "name": "Does entity configuration contain a correct iat parameter", "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ @@ -416,8 +484,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -429,8 +497,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -446,8 +514,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -459,8 +527,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -471,13 +539,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -489,8 +557,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -501,13 +569,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -519,8 +587,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -531,13 +599,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" } ] } @@ -549,8 +617,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -561,18 +629,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" } ] } @@ -584,8 +647,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -596,18 +659,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -617,6 +675,52 @@ "result": "correct flow s1" } }, + { + "test": { + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, { "test": { "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", @@ -715,6 +819,76 @@ "result": "correct flow s1" } }, + { + "test": { + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, { "test": { "name": "Does the AA metadata contain the authorization_endpoint claim", @@ -1338,30 +1512,6 @@ ], "result": "correct flow s1" } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response AA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } } ] } \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json index 65c3370..631b36b 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json @@ -7,20 +7,34 @@ "tests": [ { "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] + } + ] } ] } @@ -30,20 +44,34 @@ }, { "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_url_RP" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -53,20 +81,34 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -76,20 +118,34 @@ }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -99,20 +155,34 @@ }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_https_RP" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -122,20 +192,34 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -145,20 +229,34 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -168,20 +266,34 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -191,40 +303,32 @@ }, { "test": { - "name": "Does the JWT payload contain a correct sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", - "type": "active", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ], - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.sub", - "contains": "saved_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -236,53 +340,69 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", - "type": "active", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.client_id", - "as": "client_id" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "client_id" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -294,53 +414,69 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", - "type": "active", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.redirect_uri", - "as": "redirect_uris" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "contains": "redirect_uris" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -352,53 +488,69 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", - "type": "active", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.response_type", - "as": "response_types_supported" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "contains": "response_types_supported" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -410,53 +562,32 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", - "type": "active", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -468,53 +599,69 @@ }, { "test": { - "name": "Does the JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", - "type": "active", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.metadata.openid_relying_party.client_id", - "as": "client_id" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "client_id" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -526,53 +673,69 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", - "type": "active", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.aud[0]", - "contains": "saved_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -584,20 +747,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -607,20 +784,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -630,25 +821,32 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -660,20 +858,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -683,20 +895,34 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] } ] } @@ -706,20 +932,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -729,20 +969,34 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] } ] } @@ -752,20 +1006,34 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] } ] } @@ -775,20 +1043,34 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] } ] } @@ -798,20 +1080,34 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -821,20 +1117,34 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -844,25 +1154,32 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -874,25 +1191,32 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA SA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -904,7 +1228,7 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", + "name": "Does entity configuration contain the exp parameter", "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ @@ -912,7 +1236,7 @@ ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -921,8 +1245,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -934,7 +1258,7 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", + "name": "Does entity configuration contain the iat parameter", "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ @@ -942,7 +1266,7 @@ ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -951,8 +1275,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -964,15 +1288,15 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -981,8 +1305,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -994,25 +1318,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.jwks", + "is present": "true" } ] } @@ -1024,25 +1348,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "check": "$.metadata", + "is present": "true" } ] } @@ -1054,25 +1378,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -1084,25 +1408,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.constraints", + "is present": "true" } ] } @@ -1114,25 +1438,25 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -1144,15 +1468,15 @@ }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1161,8 +1485,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + "check": "$.trust_mark_issuers", + "is present": "true" } ] } @@ -1174,25 +1498,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + "check": "$.constraints", + "is present": "true" } ] } @@ -1204,25 +1528,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -1234,25 +1558,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -1264,24 +1588,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.jwks", "is present": "true" } ] @@ -1294,24 +1618,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata_policy", "is present": "true" } ] @@ -1324,24 +1648,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.iss", "is present": "true" } ] @@ -1354,24 +1678,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.sub", "is present": "true" } ] @@ -1384,24 +1708,24 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.trust_marks", "is present": "true" } ] @@ -1414,24 +1738,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.constraints", "is present": "true" } ] @@ -1444,24 +1768,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", + "check": "$.exp", "is present": "true" } ] @@ -1474,24 +1798,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.iat", "is present": "true" } ] @@ -1504,24 +1828,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.redirect_uri", + "check": "$.jwks", "is present": "true" } ] @@ -1534,24 +1858,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", - "type": "passive", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.response_type", + "check": "$.metadata_policy", "is present": "true" } ] @@ -1564,24 +1888,24 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.sub", "is present": "true" } ] @@ -1594,24 +1918,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.state", + "check": "$.trust_marks", "is present": "true" } ] @@ -1624,24 +1948,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.ui_locales", + "check": "$.jwks", "is present": "true" } ] @@ -1654,19 +1978,19 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { @@ -1684,27 +2008,21 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -1714,15 +2032,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does entity configuration TA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1731,8 +2049,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.sub", + "is": "X_url_TA" } ] } @@ -1744,27 +2062,20 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1774,27 +2085,20 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1804,25 +2108,26 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -1834,25 +2139,26 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -1864,15 +2170,15 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1881,8 +2187,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1894,25 +2200,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1924,25 +2230,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1954,25 +2260,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1984,25 +2290,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -2014,25 +2320,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -2044,25 +2350,25 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -2074,15 +2380,15 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2091,10 +2397,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" } ] } @@ -2106,27 +2410,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -2138,28 +2440,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } @@ -2171,28 +2470,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2204,28 +2500,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2237,28 +2530,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2270,27 +2560,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2302,28 +2590,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -2335,28 +2620,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2368,28 +2650,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2401,27 +2680,25 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" - ] + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -2433,66 +2710,57 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { "from": "body", - "value": "https://example.com", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -2502,20 +2770,27 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -2525,20 +2800,27 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -2548,20 +2830,27 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -2571,20 +2860,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -2594,20 +2890,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -2617,20 +2920,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + } + ] } ] } @@ -2640,20 +2950,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -2663,20 +2980,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + } + ] } ] } @@ -2686,20 +3010,20 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Entity Configuration response TA", "checks": [ { - "in": "url", - "is present": true, - "check": "POST" + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2709,20 +3033,20 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Entity Listing response", "checks": [ { "in": "body", - "is present": true, - "check regex": "client_assertion" + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2732,20 +3056,20 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Entity Statement response TA OP", "checks": [ { "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2755,20 +3079,20 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Entity Statement response TA RP", "checks": [ { "in": "body", - "is present": true, - "check regex": "client_id" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2778,20 +3102,20 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Fetch Entity Statement response TA OP", "checks": [ { "in": "body", - "is present": true, - "check regex": "token" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2801,20 +3125,20 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Fetch Entity Statement response TA RP", "checks": [ { "in": "body", - "is present": true, - "check regex": "client_assertion" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2824,20 +3148,20 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Public Keys History response", "checks": [ { "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2847,20 +3171,20 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Resolve Entity Statement response", "checks": [ { "in": "body", - "is present": true, - "check regex": "client_id" + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2870,20 +3194,29 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -2893,43 +3226,32 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token request", - "checks": [ - { - "in": "body", - "is present": true, - "check regex": "grant_type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -2939,20 +3261,32 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -2962,20 +3296,29 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -2985,32 +3328,29 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3023,27 +3363,29 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", - "is in": [ - "consent", - "consent login" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3056,31 +3398,26 @@ }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -3093,25 +3430,25 @@ }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ "none", "HS256", "HS384", @@ -3128,25 +3465,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -3158,25 +3497,30 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3188,25 +3532,27 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -3218,25 +3564,30 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3248,25 +3599,27 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -3278,25 +3631,30 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3308,15 +3666,15 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -3325,7 +3683,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -3338,15 +3696,15 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -3355,7 +3713,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -3368,15 +3726,15 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -3385,7 +3743,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -3398,15 +3756,15 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -3415,7 +3773,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -3428,15 +3786,15 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -3445,7 +3803,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -3458,15 +3816,15 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -3475,7 +3833,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -3488,15 +3846,15 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -3505,7 +3863,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -3518,15 +3876,15 @@ }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -3535,7 +3893,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -3548,15 +3906,15 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -3565,7 +3923,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -3578,15 +3936,15 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -3595,7 +3953,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "check": "$.constraints.max_path_length", "is present": "true" } ] @@ -3608,15 +3966,15 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -3625,7 +3983,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", "is present": "true" } ] @@ -3638,15 +3996,15 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -3655,7 +4013,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", "is present": "true" } ] @@ -3668,21 +4026,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_RP" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "is present": "true" + } + ] } ] } @@ -3692,21 +4056,27 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_core_RP" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -3716,22 +4086,26 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" + } ] } ] @@ -3742,15 +4116,15 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -3759,13 +4133,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is present": "true" } ] } @@ -3777,15 +4146,15 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -3794,10 +4163,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } @@ -3809,15 +4176,15 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -3826,13 +4193,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "is present": "true" } ] } @@ -3844,21 +4206,27 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "is present": "true" + } + ] } ] } @@ -3868,40 +4236,27 @@ }, { "test": { - "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", - "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "message operations": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { "from": "body", - "edit": "(?<=token=)([^&]+)", - "in": "123.123.123" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", + "is present": "true" + } + ] } ] } @@ -3911,20 +4266,27 @@ }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check": "Content-Type", - "is": "application/json" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -3934,20 +4296,27 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "token_type", - "is": "Bearer" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -3957,32 +4326,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is present": "true" } ] } @@ -3994,29 +4356,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "in": "payload", + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is present": "true" } ] } @@ -4028,53 +4386,55 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "saved_iss" + "check": "$.jwks", + "is present": "true" } ] } @@ -4086,50 +4446,29 @@ }, { "test": { - "name": "Does the OP refuse wrongly signed Authentication Requests", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "unauthorized_client" - } - ] } ], "result": "correct flow s1" @@ -4137,50 +4476,29 @@ }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -4188,50 +4506,29 @@ }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -4239,50 +4536,29 @@ }, { "test": { - "name": "Does the token response to a token request made with a wrong signature return a Token Error response", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -4290,50 +4566,29 @@ }, { "test": { - "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -4341,20 +4596,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is present": "true" + } + ] } ] } @@ -4364,20 +4626,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -4387,20 +4656,27 @@ }, { "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is present": "true" + } + ] } ] } @@ -4410,20 +4686,27 @@ }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -4433,20 +4716,27 @@ }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is present": "true" + } + ] } ] } @@ -4456,25 +4746,25 @@ }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_OP" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" } ] } @@ -4486,46 +4776,55 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "message operations": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "from": "url", - "save": "client_id", - "as": "auth_client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is present": "true" + } + ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "client_id", - "is": "auth_client_id", - "use variable": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -4537,46 +4836,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "message operations": [ - { - "from": "url", - "save": "scope", - "as": "auth_scope" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "scope", - "is": "auth_scope", - "use variable": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is present": "true" } ] } @@ -4588,20 +4866,27 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is present": "true" + } + ] } ] } @@ -4611,20 +4896,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -4634,20 +4926,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is present": "true" + } + ] } ] } @@ -4657,20 +4956,27 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -4680,20 +4986,34 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] + } + ] } ] } @@ -4703,20 +5023,34 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] + } + ] } ] } @@ -4726,25 +5060,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -4756,25 +5097,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -4786,25 +5134,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } + ] } ] } @@ -4816,25 +5171,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -4846,25 +5208,32 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -4876,25 +5245,32 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -4906,25 +5282,32 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"logo_uri\"]})" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -4936,25 +5319,32 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -4966,25 +5356,32 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -4996,25 +5393,32 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -5026,25 +5430,32 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -5056,25 +5467,32 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -5086,25 +5504,32 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -5116,25 +5541,32 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -5146,25 +5578,32 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -5176,27 +5615,34 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" - } - ] + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] + } + ] } ] } @@ -5206,25 +5652,32 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -5236,25 +5689,32 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] } ] } @@ -5266,20 +5726,34 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "code" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] + } + ] } ] } @@ -5289,20 +5763,34 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "state" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] + } + ] } ] } @@ -5312,20 +5800,34 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] + } + ] } ] } @@ -5335,20 +5837,34 @@ }, { "test": { - "name": "Does the token response have Cache-Control set to 'no-store'", - "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Cache-Control", - "contains": "no-store" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] + } + ] } ] } @@ -5358,25 +5874,32 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -5388,25 +5911,32 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -5418,25 +5948,32 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -5448,25 +5985,32 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -5478,25 +6022,32 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -5508,25 +6059,32 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -5538,85 +6096,113 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.authority_hints", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", + "is subset of": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -5628,25 +6214,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is subset of": [ + "S256" + ] } ] } @@ -5658,25 +6246,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.typ", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", + "is subset of": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -5688,25 +6279,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -5718,25 +6312,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", - "is present": "true" + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -5748,25 +6345,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -5778,25 +6378,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" + ] } ] } @@ -5808,25 +6411,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" + ] } ] } @@ -5838,25 +6443,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -5868,25 +6475,30 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is present": "true" + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -5898,25 +6510,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" + ] } ] } @@ -5928,25 +6542,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -5958,25 +6574,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -5988,25 +6607,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6018,25 +6640,28 @@ }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.at_hash", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -6048,25 +6673,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6078,25 +6706,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -6108,25 +6738,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -6138,25 +6771,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -6168,25 +6803,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6198,25 +6836,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -6228,25 +6868,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" + ] } ] } @@ -6258,30 +6900,26 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" ] } ] @@ -6294,26 +6932,28 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6325,26 +6965,27 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.cty", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -6356,26 +6997,28 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6387,30 +7030,31 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA SA", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" - } - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] + } + ] + } + ] } ], "result": "correct flow s1" @@ -6418,15 +7062,15 @@ }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -6435,9 +7079,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" ] } ] @@ -6450,15 +7094,15 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -6467,12 +7111,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" ] } ] @@ -6485,15 +7127,15 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -6502,12 +7144,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -6520,15 +7160,15 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -6537,9 +7177,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -6552,15 +7193,15 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -6569,12 +7210,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -6587,28 +7226,26 @@ }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" ] } ] @@ -6621,26 +7258,27 @@ }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -6653,27 +7291,27 @@ }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -6686,27 +7324,27 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -6719,27 +7357,27 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "check": "$.trust_marks[0].trust_mark.organization_type", "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "public", + "private" ] } ] @@ -6752,27 +7390,27 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "check": "$.organization_type", "is in": [ - "RS256", - "RS512" + "public", + "private" ] } ] @@ -6785,59 +7423,59 @@ }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", - "type": "passive", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "iss", + "contains": "valid_iss" + } ] } ] @@ -6850,27 +7488,59 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", - "type": "passive", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "iss", + "contains": "valid_iss" + } ] } ] @@ -6883,29 +7553,21 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -6915,29 +7577,21 @@ }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -6947,32 +7601,21 @@ }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -6982,27 +7625,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] + "check": "$.acr_values", + "is present": "true" } ] } @@ -7014,28 +7655,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.aud", + "is present": "true" } ] } @@ -7047,28 +7685,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -7080,28 +7715,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.client_id", + "is present": "true" } ] } @@ -7113,29 +7745,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -7147,1948 +7775,1304 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the request parameter", - "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", - "edit operations": [ + "decode operations": [ { "from": "url", - "value": "", - "edit": "request" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter in the URL", - "description": "An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request)", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", - "edit operations": [ + "decode operations": [ { "from": "url", - "value": "", - "edit": "scope" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.nonce", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with the request parameter that is not a JWT", - "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", - "edit operations": [ + "decode operations": [ { "from": "url", - "value": "example", - "edit": "request" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.prompt", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT", - "description": "The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", - "edit operations": [ + "decode operations": [ { "from": "url", - "value": "openid", - "edit": "scope" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.redirect_uri", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept introspection requests without the client assertion", - "description": "A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "invalid_client" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.response_type", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept introspection requests without the client assertion type", - "description": "An introspection request without the client_assertion_type parameter is sent and the response analyzed", - "type": "active", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.scope", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept introspection requests without the client id", - "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "invalid_client" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.state", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "How does the OP behave when receiving an introspection request without the token", - "description": "An introspection request without a token is sent and the introspection response analyzed", - "type": "active", - "sessions": [ - "s_CIE_introsp" + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "type": "passive", + "sessions": [ + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=token=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.ui_locales", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept introspection requests with a wrong client assertion type", - "description": "An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ - { - "from": "body", - "value": "X_wrong_value", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client id of the Introspection Request", - "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", - "type": "active", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { "from": "body", - "value": "https://www.example.com/", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the parameters of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.", - "type": "active", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { "from": "body", - "value": "X_wrong_value", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "How does the OP behave when receiving an introspection request with a wrong token", - "description": "An introspection request with a token not valid is sent and the introspection response analyzed", - "type": "active", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { "from": "body", - "value": "X_not_valid_tkn", - "edit regex": "(?<=token=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of token in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.", - "type": "active", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=token=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept revocation request without the client assertion", - "description": "In order to verify if the OP checks the presence of the client_assertion parameter in a revocation request, such a request is sent without the client_assertion and the OP's response is analyzed", - "type": "active", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept Revocation Requests without the client assertion type", - "description": "To test if an OP verifies the presence of the client assertion type in the Revocation request, a request withiout client assertion type is sent and the response is analyzed.", - "type": "active", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept Revocation Requests without the client id", - "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.", - "type": "active", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client assertion type of the Revocation Request", - "description": "To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.", - "type": "active", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Token request", + "decode operations": [ { "from": "body", - "value": "urn-ietf", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Token request", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client id of the Revocation Request", - "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", - "type": "active", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Token request", + "decode operations": [ { "from": "body", - "value": "https://www.example.com/", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the client_assertion parameter return a Token Error response", - "description": "This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token request", - "edit operations": [ + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the client_assertion_type parameter return a Token Error response", - "description": "This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token request", - "edit operations": [ + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP require the client_id in the token request", - "description": "This test consists in sending a token request without the client_id parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token request", - "edit operations": [ + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Configuration response RP", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the code parameter return a Token Error response", - "description": "This test consists in sending a token request without the code parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=code=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Authentication request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_grant" + "in": "url", + "is present": true, + "check": "code_challenge" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the code_verifier parameter return a Token Error response", - "description": "This test consists in sending a token request without the code_verifier parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=code_verifier=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Authentication request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_grant" + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the grant_type parameter return a Token Error response", - "description": "This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=grant_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Authentication request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "in": "url", + "is present": true, + "check": "client_id" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect client_assertion_type parameter return a Token Error response", - "description": "This test consists in sending a token request with a wrong client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "value": "urn-aert", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "in": "url", + "is present": true, + "check": "response_type" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Introspection request", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "is present": true, + "check regex": "client_assertion" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response", - "description": "This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "X_wrong_code", - "edit regex": "(?<=code=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Introspection request", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_grant" + "is present": true, + "check regex": "client_assertion_type" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response", - "description": "This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "X_wrong_code", - "edit regex": "(?<=code_verifier=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Introspection request", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "is present": true, + "check regex": "client_assertion" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP checks that the token request contains the grant_type parameter set correctly", - "description": "In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response", - "type": "active", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "example", - "edit regex": "(?<=grant_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Introspection request", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "unsupported_grant_type" + "is present": true, + "check regex": "client_id" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP check the client_id in the request", - "description": "In this test the client_id parameter in the URL of the token request is removed and the response analyzed", - "type": "active", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Introspection request", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "is present": true, + "check regex": "token" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "How does the OP behave when the token in the userinfo request is missing", - "description": "A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed", - "type": "active", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", + "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "UserInfo request", - "edit operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "head", - "value": "", - "edit": "Authorization" + "in": "url", + "is present": true, + "check": "POST" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "UserInfo response", + "message type": "Revocation request", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "is present": true, + "check regex": "client_assertion" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", - "type": "active", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the client_id parameter", - "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "is present": true, + "check regex": "client_id" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "is present": true, + "check regex": "token" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", - "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", - "type": "active", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Token request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the nonce parameter", - "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Token request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "is present": true, + "check regex": "code" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter", - "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Token request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the state parameter", - "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "UserInfo request", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "is present": true, + "check param": "Authorization" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", - "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", - "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", - "type": "active", + "name": "Does entity configuration RP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" - } + "in": "payload", + "check": "$.sub", + "is": "X_url_RP" + } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Entity Configuration response RP", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", - "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", - "type": "active", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "example" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Entity Configuration response RP", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", + "name": "Does the JWT payload contain a correct sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", "type": "active", "sessions": [ "s1" @@ -9102,945 +9086,544 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "example" - }, + "jwt save": "$.iss", + "as": "saved_iss" + } + ], + "checks": [ { - "jwt sign": "X_key_RP" + "use variable": "true", + "in": "payload", + "check": "$.sub", + "contains": "saved_iss" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Token request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", - "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", "decode operations": [ { "from": "url", "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681723540" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", - "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", "decode operations": [ { "from": "url", "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681723540" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", - "type": "active", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "19az" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", - "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", - "type": "active", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", - "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", - "type": "active", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "unsupported_response_type" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", - "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", - "type": "active", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_scope" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", - "type": "active", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "19az" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the acr_values parameter", - "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", - "type": "active", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the aud parameter", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", - "type": "active", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the claims parameter", - "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the exp parameter", - "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iat parameter", - "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iss parameter", - "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the prompt parameter", - "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", - "type": "active", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", - "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the response_type parameter", - "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse an RP without trusted Trust Marks", - "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", + "name": "Does the Revocation Request contain correct client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "active", "sessions": [ "s1" @@ -10054,22 +9637,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.trust_marks", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "value": "https://example.com", + "edit regex": "(?<=client_id=)([^&]+)" } ] }, @@ -10077,15 +9650,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_client" } ] } @@ -10095,1756 +9668,1024 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", - "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", - "type": "active", + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Introspection request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly validate the trust chain of an RP authentication request", - "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", - "type": "active", + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.authority_hints", - "value": "https://www.wrongsite.com/" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication response", + "message type": "Introspection request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_client" + "in": "body", + "check": "client_id", + "is": "X_url_RP" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", - "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", - "type": "active", + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Request with a wrong redirect URI", - "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", - "type": "active", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Token request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", - "type": "active", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", + "message type": "Token request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "client_id", + "is": "X_https_RP" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", - "type": "active", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud[0]", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", + "message type": "Entity Configuration response RP", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", - "type": "active", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "type": "passive", "sessions": [ "s_CIE_introsp" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Introspection request", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", - "type": "active", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", + "message type": "Revocation request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", - "type": "active", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", + "message type": "Token request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", - "type": "active", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" - } - ] + "in": "head", + "check regex": "POST", + "is present": "true" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", + "message type": "UserInfo request", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", - "type": "active", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", - "type": "active", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", - "type": "active", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Introspection request", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Revocation request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.client_registration_types", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", - "type": "active", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", - "type": "active", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "https://www.example.com" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", - "type": "active", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681716340" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", - "type": "active", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681716340" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", - "type": "active", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "https://www.example.com" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", - "type": "active", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", - "type": "active", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.redirect_uris", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the Introspection Endpoint Response have the active parameter", - "description": "To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "active" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" + } + ] } ] } @@ -11854,20 +10695,27 @@ }, { "test": { - "name": "Does the Introspection Endpoint returns true on active tokens", - "description": "To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "\"active\": true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" + } + ] } ] } @@ -11877,20 +10725,27 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "is present": "true" + } + ] } ] } @@ -11900,89 +10755,27 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token response", - "checks": [ - { - "in": "body", - "is present": true, - "check regex": "access_token" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token response", - "checks": [ - { - "in": "body", - "is present": true, - "check regex": "expires_in" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token response", - "checks": [ - { - "in": "body", - "is present": true, - "check regex": "id_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is present": "true" + } + ] } ] } @@ -11992,20 +10785,27 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" + } + ] } ] } @@ -12015,20 +10815,27 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" + } + ] } ] } @@ -12038,28 +10845,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RS256", - "RS512" - ] + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -12071,30 +10875,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -12106,30 +10905,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is present": "true" } ] } @@ -12141,15 +10935,15 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -12158,7 +10952,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", "is present": "true" } ] @@ -12171,15 +10965,15 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -12188,7 +10982,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.jwks", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", "is present": "true" } ] @@ -12201,15 +10995,15 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -12218,7 +11012,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", "is present": "true" } ] @@ -12231,15 +11025,15 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -12248,7 +11042,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", + "check": "$.metadata.openid_relying_party.response_types", "is present": "true" } ] @@ -12261,15 +11055,15 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -12278,8 +11072,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -12291,15 +11090,15 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -12308,8 +11107,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" + ] } ] } @@ -12321,15 +11122,15 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -12338,8 +11139,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -12351,55 +11157,53 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "jwt from": "payload", + "jwt save": "$.client_id", + "as": "client_id" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "contains": "client_id" } ] } @@ -12411,55 +11215,53 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "jwt from": "payload", + "jwt save": "$.redirect_uri", + "as": "redirect_uris" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_relying_party.redirect_uris", + "contains": "redirect_uris" } ] } @@ -12471,55 +11273,53 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", - "is present": "true" + "jwt from": "payload", + "jwt save": "$.response_type", + "as": "response_types_supported" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_relying_party.response_types[0]", + "contains": "response_types_supported" } ] } @@ -12531,25 +11331,53 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "contains": "iss" } ] } @@ -12561,55 +11389,53 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "jwt from": "payload", + "jwt save": "$.metadata.openid_relying_party.client_id", + "as": "client_id" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.iss", + "contains": "client_id" } ] } @@ -12621,55 +11447,53 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "is present": "true" + "check": "$.aud[0]", + "contains": "saved_iss" } ] } @@ -12681,25 +11505,33 @@ }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", - "is present": "true" + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + ] } ] } @@ -12711,25 +11543,28 @@ }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", - "is present": "true" + "check": "$.prompt", + "is in": [ + "consent", + "consent login" + ] } ] } @@ -12741,25 +11576,32 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", - "is present": "true" + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" + ] } ] } @@ -12771,25 +11613,30 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is present": "true" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -12801,27 +11648,21 @@ }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -12831,27 +11672,21 @@ }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_RP" } ] } @@ -12861,25 +11696,32 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -12891,25 +11733,32 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -12921,25 +11770,32 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -12951,25 +11807,32 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -12981,25 +11844,32 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -13011,51 +11881,32 @@ }, { "test": { - "name": "Does the OP issue refresh tokens even when it is not supposed to", - "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token response", - "checks": [ - { - "in": "body", - "check": "refresh_token", - "is present": false - } - ] - } - ], - "result": [ - "s1" - ] - } - }, - { - "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response SA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.cty", - "is": "JWT" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -13067,21 +11918,34 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_OP" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -13091,21 +11955,34 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -13115,21 +11992,34 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -13139,74 +12029,71 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", - "type": "active", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "header", - "jwt edit": "alg", - "value": "none" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -13216,21 +12103,34 @@ }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] } ] } @@ -13240,8 +12140,8 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -13252,17 +12152,23 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" - } - ] - } + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] + } ] } ], @@ -13271,26 +12177,32 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -13302,53 +12214,69 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -13360,53 +12288,32 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -13418,20 +12325,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -13441,20 +12362,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -13464,25 +12399,32 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -13494,20 +12436,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -13517,20 +12473,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -13540,20 +12510,34 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -13563,8 +12547,8 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -13572,11 +12556,25 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -13586,20 +12584,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -13609,20 +12621,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] } ] } @@ -13632,25 +12658,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -13662,25 +12695,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -13692,25 +12732,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -13722,25 +12769,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -13752,25 +12806,32 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -13782,25 +12843,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -13812,15 +12880,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -13829,8 +12897,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -13842,15 +12910,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -13859,8 +12927,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -13872,15 +12940,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -13889,8 +12957,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -13902,25 +12970,25 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -13932,32 +13000,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -13969,32 +13030,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -14006,32 +13060,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -14043,8 +13090,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -14055,20 +13102,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -14080,8 +13120,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -14092,20 +13132,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -14117,8 +13150,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -14129,20 +13162,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -14154,8 +13180,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -14166,20 +13192,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -14191,8 +13210,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -14203,20 +13222,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -14228,8 +13240,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -14240,20 +13252,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -14265,8 +13270,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -14277,20 +13282,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -14302,8 +13300,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -14314,20 +13312,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -14339,32 +13330,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -14376,32 +13360,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -14413,32 +13390,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -14450,32 +13420,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -14487,8 +13450,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -14499,20 +13462,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -14524,8 +13480,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -14536,20 +13492,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -14561,8 +13510,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -14573,20 +13522,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -14598,8 +13540,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -14610,20 +13552,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -14635,34 +13570,21 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -14672,32 +13594,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does entity configuration SA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_SA" } ] } @@ -14709,34 +13624,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -14746,34 +13647,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -14783,32 +13670,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -14820,8 +13701,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -14832,20 +13713,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -14857,32 +13732,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -14894,32 +13762,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -14931,32 +13792,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -14968,32 +13822,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -15005,32 +13852,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -15042,8 +13882,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -15054,13 +13894,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -15072,15 +13912,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15089,8 +13929,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -15102,15 +13942,15 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15119,8 +13959,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -15132,15 +13972,15 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -15149,8 +13989,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -15162,15 +14002,15 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -15179,8 +14019,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -15192,25 +14032,25 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -15222,8 +14062,8 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -15231,18 +14071,11 @@ "operations": [ { "message type": "Entity Configuration response SA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -15252,27 +14085,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -15282,8 +14108,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -15291,18 +14117,11 @@ "operations": [ { "message type": "Entity Statement response SA OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -15312,27 +14131,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -15342,27 +14154,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -15372,27 +14177,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -15402,24 +14200,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -15432,24 +14230,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -15462,24 +14260,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -15492,24 +14290,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -15522,24 +14320,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -15552,24 +14350,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -15582,24 +14380,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -15612,24 +14410,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -15642,24 +14440,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -15672,25 +14470,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } + ] } ] } @@ -15702,38 +14507,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -15880,8 +14655,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -15898,12 +14673,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -15917,8 +14692,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -15935,12 +14710,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -15954,8 +14729,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -15972,12 +14747,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -15991,8 +14766,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -16014,7 +14789,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -16028,8 +14803,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -16051,7 +14826,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -16065,8 +14840,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -16083,12 +14858,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -16102,8 +14877,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -16125,7 +14900,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -16139,15 +14914,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -16157,12 +14932,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -16176,15 +14951,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -16199,7 +14974,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -16213,15 +14988,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -16236,7 +15011,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -16250,15 +15025,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -16273,7 +15048,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -16287,15 +15062,15 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -16310,7 +15085,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -16324,8 +15099,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -16347,7 +15122,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -16361,8 +15136,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -16384,7 +15159,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -16398,8 +15173,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -16421,7 +15196,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -16435,8 +15210,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -16458,7 +15233,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -16472,8 +15247,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -16495,7 +15270,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -16509,8 +15284,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -16527,12 +15302,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -16546,15 +15321,15 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16564,15 +15339,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -16581,15 +15353,13 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -16606,15 +15376,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -16623,32 +15390,37 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -16660,25 +15432,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -16690,25 +15469,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -16720,25 +15506,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -16750,25 +15543,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -16780,25 +15580,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -16810,25 +15617,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -16840,25 +15654,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -16870,25 +15691,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } + ] } ] } @@ -16900,21 +15728,55 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" + } + ] } ] } @@ -16924,21 +15786,55 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" + } + ] } ] } @@ -16948,68 +15844,105 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] + } + ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] + } + ] } ] } ], - "result": "correct flow s1" - } - }, + "result": [ + "s1" + ] + } + }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "checks": [ + "message type": "Entity Configuration response SA", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_SA" } ] } @@ -17019,20 +15952,21 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_SA" } ] } @@ -17042,27 +15976,21 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is": "X_key_AA" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -17072,71 +16000,78 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", - "type": "passive", + "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "header", + "jwt edit": "alg", + "value": "none" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Resolve Entity Statement response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.exp", + "is present": "true" } ] } @@ -17148,25 +16083,25 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.iat", + "is present": "true" } ] } @@ -17178,15 +16113,15 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -17195,8 +16130,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -17208,15 +16143,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -17225,8 +16160,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -17238,15 +16173,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -17255,8 +16190,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata", + "is present": "true" } ] } @@ -17268,15 +16203,15 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -17285,8 +16220,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -17298,25 +16233,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.authority_hints", + "is present": "true" } ] } @@ -17328,15 +16263,15 @@ }, { "test": { - "name": "Does the AA's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -17358,24 +16293,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.exp", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -17388,24 +16323,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iat", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -17418,24 +16353,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iss", + "in": "header", + "check": "$.typ", "is present": "true" } ] @@ -17448,24 +16383,24 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.aud", "is present": "true" } ] @@ -17478,24 +16413,24 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.client_id", "is present": "true" } ] @@ -17508,24 +16443,24 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.exp", "is present": "true" } ] @@ -17538,30 +16473,25 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -17573,30 +16503,25 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -17608,28 +16533,25 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.jti", + "is present": "true" } ] } @@ -17641,27 +16563,25 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" - ] + "check": "$.scope", + "is present": "true" } ] } @@ -17673,28 +16593,25 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -17706,24 +16623,24 @@ }, { "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -17736,24 +16653,24 @@ }, { "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -17766,24 +16683,24 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "check": "$.acr", "is present": "true" } ] @@ -17796,24 +16713,24 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.at_hash", "is present": "true" } ] @@ -17826,24 +16743,24 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.aud", "is present": "true" } ] @@ -17856,24 +16773,24 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "check": "$.exp", "is present": "true" } ] @@ -17886,24 +16803,24 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.iat", "is present": "true" } ] @@ -17916,24 +16833,24 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", + "check": "$.iss", "is present": "true" } ] @@ -17946,24 +16863,24 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", + "check": "$.jti", "is present": "true" } ] @@ -17976,24 +16893,24 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.nonce", "is present": "true" } ] @@ -18006,24 +16923,24 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "check": "$.sub", "is present": "true" } ] @@ -18036,25 +16953,46 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", - "type": "passive", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "message operations": [ + { + "from": "url", + "save": "client_id", + "as": "auth_client_id" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", - "is present": "true" + "check": "client_id", + "is": "auth_client_id", + "use variable": "true" } ] } @@ -18066,55 +17004,46 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "message operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" - } - ] + "from": "url", + "save": "scope", + "as": "auth_scope" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response AA", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "scope", + "is": "auth_scope", + "use variable": "true" } ] } @@ -18126,27 +17055,21 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_resource.resource", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -18156,27 +17079,21 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } @@ -18186,27 +17103,20 @@ }, { "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Introspection Endpoint Response have the active parameter", + "description": "To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Introspection response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "active" } ] } @@ -18216,27 +17126,20 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Introspection Endpoint returns true on active tokens", + "description": "To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Introspection response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "\"active\": true" } ] } @@ -18246,27 +17149,20 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -18276,27 +17172,20 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -18306,21 +17195,20 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_AA" + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -18330,21 +17218,20 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Token response", "checks": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -18354,28 +17241,20 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -18385,28 +17264,20 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" - } - ] + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -18416,20 +17287,20 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "UserInfo response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -18439,38 +17310,45 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" - } - ] - } + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" + } + ] + } + ] + } ], "result": "correct flow s1" } }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -18479,8 +17357,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } @@ -18492,20 +17370,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" + } + ] } ] } @@ -18515,20 +17400,27 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is": "X_url_OP" + } + ] } ] } @@ -18538,19 +17430,19 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "checks": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", "is present": "true" } ] @@ -18561,19 +17453,19 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "checks": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", "is present": "true" } ] @@ -18584,19 +17476,19 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", + "message type": "Revocation response", "checks": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", "is present": "true" } ] @@ -18607,19 +17499,19 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", + "message type": "Token response", "checks": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", "is present": "true" } ] @@ -18630,19 +17522,19 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", + "message type": "Token response", "checks": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", "is present": "true" } ] @@ -18653,2247 +17545,5597 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the client_id parameter", + "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", + "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the nonce parameter", + "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\n\\r]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the scope parameter", + "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the state parameter", + "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "jwt from": "payload", + "jwt edit": "$.state", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", + "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", + "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", + "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", + "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", + "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", + "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", + "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "unsupported_response_type" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", + "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_scope" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "jwt from": "payload", + "jwt edit": "$.state", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the acr_values parameter", + "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the aud parameter", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the claims parameter", + "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the exp parameter", + "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iat parameter", + "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iss parameter", + "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the prompt parameter", + "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", + "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the response_type parameter", + "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse an RP without trusted Trust Marks", + "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.trust_marks", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", + "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", - "type": "passive", + "name": "Does the OP correctly validate the trust chain of an RP authentication request", + "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.authority_hints", + "value": "https://www.wrongsite.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_client" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", - "type": "passive", + "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", + "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Request with a wrong redirect URI", + "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.aud[0]", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", - "type": "passive", + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", + "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "message operations": [ + { + "from": "body", + "edit": "(?<=token=)([^&]+)", + "in": "123.123.123" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP refuse wrongly signed Authentication Requests", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "unauthorized_client" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP verify the signature of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", + "type": "active", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP verify the signature of the client assertion in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token response to a token request made with a wrong signature return a Token Error response", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP issue refresh tokens even when it is not supposed to", + "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "checks": [ + { + "in": "body", + "check": "refresh_token", + "is present": false + } + ] + } + ], + "result": [ + "s1" + ] + } + }, + { + "test": { + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=id_token: \")([^\"]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=id_token: \")([^\"]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP refuse Authentication Requests without the request parameter", + "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ + { + "from": "url", + "value": "", + "edit": "request" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP refuse Authentication Requests without the scope parameter in the URL", + "description": "An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request)", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ + { + "from": "url", + "value": "", + "edit": "scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP refuse Authentication Requests with the request parameter that is not a JWT", + "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ + { + "from": "url", + "value": "example", + "edit": "request" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT", + "description": "The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ + { + "from": "url", + "value": "openid", + "edit": "scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP accept introspection requests without the client assertion", + "description": "A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed", + "type": "active", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP accept introspection requests without the client assertion type", + "description": "An introspection request without the client_assertion_type parameter is sent and the response analyzed", + "type": "active", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP accept introspection requests without the client id", + "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.", + "type": "active", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "How does the OP behave when receiving an introspection request without the token", + "description": "An introspection request without a token is sent and the introspection response analyzed", + "type": "active", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=token=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP accept introspection requests with a wrong client assertion type", + "description": "An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed", + "type": "active", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "X_wrong_value", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP verify the client id of the Introspection Request", + "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", + "type": "active", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "https://www.example.com/", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the OP verify the parameters of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.", + "type": "active", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "X_wrong_value", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", - "type": "passive", + "name": "How does the OP behave when receiving an introspection request with a wrong token", + "description": "An introspection request with a token not valid is sent and the introspection response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] - } - ] + "value": "X_not_valid_tkn", + "edit regex": "(?<=token=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the presence of token in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] - } - ] + "value": "", + "edit regex": "(?<=token=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", - "type": "passive", + "name": "Does the OP accept revocation request without the client assertion", + "description": "In order to verify if the OP checks the presence of the client_assertion parameter in a revocation request, such a request is sent without the client_assertion and the OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] - } - ] + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", - "type": "passive", + "name": "Does the OP accept Revocation Requests without the client assertion type", + "description": "To test if an OP verifies the presence of the client assertion type in the Revocation request, a request withiout client assertion type is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] - } - ] + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", - "type": "passive", + "name": "Does the OP accept Revocation Requests without the client id", + "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] - } - ] + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the client assertion type of the Revocation Request", + "description": "To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] - } - ] + "value": "urn-ietf", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the client id of the Revocation Request", + "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] - } - ] + "value": "https://www.example.com/", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", - "type": "passive", + "name": "Does the token response to a token request made without the client_assertion parameter return a Token Error response", + "description": "This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] - } - ] + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", - "type": "passive", + "name": "Does the token response to a token request made without the client_assertion_type parameter return a Token Error response", + "description": "This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] - } - ] + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", - "type": "passive", + "name": "Does the OP require the client_id in the token request", + "description": "This test consists in sending a token request without the client_id parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", - "type": "passive", + "name": "Does the token response to a token request made without the code parameter return a Token Error response", + "description": "This test consists in sending a token request without the code parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] - } - ] + "value": "", + "edit regex": "(?<=code=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_grant" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", - "type": "passive", + "name": "Does the token response to a token request made without the code_verifier parameter return a Token Error response", + "description": "This test consists in sending a token request without the code_verifier parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=code_verifier=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_grant" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", - "type": "passive", + "name": "Does the token response to a token request made without the grant_type parameter return a Token Error response", + "description": "This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=grant_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", - "type": "passive", + "name": "Does the token response to a token request made with an incorrect client_assertion_type parameter return a Token Error response", + "description": "This test consists in sending a token request with a wrong client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "value": "urn-aert", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", - "type": "passive", + "name": "Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response", + "description": "This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "value": "X_wrong_code", + "edit regex": "(?<=code=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_grant" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", - "type": "passive", + "name": "Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response", + "description": "This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" - } - ] + "value": "X_wrong_code", + "edit regex": "(?<=code_verifier=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", - "type": "passive", + "name": "Does the OP checks that the token request contains the grant_type parameter set correctly", + "description": "In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "value": "example", + "edit regex": "(?<=grant_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "unsupported_grant_type" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", - "type": "passive", + "name": "Does the OP check the client_id in the request", + "description": "In this test the client_id parameter in the URL of the token request is removed and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", - "type": "passive", + "name": "How does the OP behave when the token in the userinfo request is missing", + "description": "A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "UserInfo request", + "edit operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "from": "head", + "value": "", + "edit": "Authorization" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "UserInfo response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_mark_issuers", - "is present": "true" - } - ] + "in": "head", + "check": "Content-Type", + "is": "application/json" } ] } @@ -20903,27 +23145,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "body", + "check": "token_type", + "is": "Bearer" } ] } @@ -20933,27 +23168,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] } @@ -20963,27 +23191,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -20993,27 +23214,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -21023,27 +23237,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" - } - ] + "in": "body", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -21053,27 +23260,20 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -21083,27 +23283,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } @@ -21113,25 +23306,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] } ] } @@ -21143,25 +23343,29 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.constraints", - "is present": "true" + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -21173,24 +23377,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.exp", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -21203,24 +23408,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iat", + "in": "header", + "check": "$.cty", "is present": "true" } ] @@ -21233,24 +23439,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.jwks", + "in": "header", + "check": "$.enc", "is present": "true" } ] @@ -21263,24 +23470,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -21293,25 +23501,29 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -21323,25 +23535,27 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] } ] } @@ -21353,25 +23567,28 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -21383,25 +23600,28 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -21413,31 +23633,27 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -21450,31 +23666,27 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -21487,31 +23699,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" ] } ] @@ -21524,31 +23731,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -21561,31 +23764,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" ] } ] @@ -21598,31 +23796,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -21635,31 +23829,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -21672,31 +23862,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" ] } ] @@ -21709,31 +23894,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" ] } ] @@ -21746,31 +23927,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" ] } ] @@ -21783,31 +23959,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" ] } ] @@ -21820,31 +23991,29 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" ] } ] @@ -21857,31 +24026,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" ] } ] @@ -21894,31 +24058,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -21931,31 +24091,27 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -21968,31 +24124,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -22005,31 +24157,28 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", + "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } + "in": "payload", + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" ] } ] @@ -22042,31 +24191,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" ] } ] @@ -22079,31 +24223,29 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -22116,31 +24258,29 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -22153,34 +24293,29 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -22188,41 +24323,34 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -22230,22 +24358,20 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -22254,7 +24380,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", "not contains": [ "RSA_1_5" ] @@ -22269,15 +24395,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -22286,7 +24412,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", "not contains": [ "none", "HS256", @@ -22304,30 +24430,26 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "header", + "check": "$.cty", + "is": "JWT" } ] } @@ -22339,26 +24461,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -22371,30 +24497,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.issuer", + "is present": "true" } ] } @@ -22406,30 +24527,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.jwks", + "is present": "true" } ] } @@ -22441,27 +24557,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" } ] } @@ -22473,30 +24587,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.acr_values_supported", + "is present": "true" } ] } @@ -22508,27 +24617,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.authorization_endpoint", + "is present": "true" } ] } @@ -22540,30 +24647,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "is present": "true" } ] } @@ -22575,27 +24677,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -22607,30 +24707,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -22642,27 +24737,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.grant_types_supported", + "is present": "true" } ] } @@ -22674,30 +24767,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -22709,29 +24797,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "is present": "true" } ] } @@ -22743,27 +24827,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" - ] + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "is present": "true" } ] } @@ -22775,28 +24857,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" - ] + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "is present": "true" } ] } @@ -22808,28 +24887,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata.openid_provider.introspection_endpoint", + "is present": "true" } ] } @@ -22841,28 +24917,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -22874,28 +24947,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -22907,28 +24977,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" - ] + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -22940,27 +25007,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" - ] + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "is present": "true" } ] } @@ -22972,27 +25037,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -23004,30 +25067,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" - ] + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } @@ -23039,27 +25097,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" - ] + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "is present": "true" } ] } @@ -23071,27 +25127,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] + "check": "$.metadata.openid_provider.claims_supported", + "is present": "true" } ] } @@ -23103,28 +25157,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.openid_provider.claims_parameter_supported", + "is present": "true" } ] } @@ -23136,28 +25187,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.openid_provider.request_parameter_supported", + "is present": "true" } ] } @@ -23169,28 +25217,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } @@ -23202,28 +25247,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.openid_provider.client_registration_types_supported", + "is present": "true" } ] } @@ -23235,27 +25277,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } @@ -23267,28 +25307,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" - ] + "check": "$.metadata.openid_provider.response_modes_supported", + "is present": "true" } ] } @@ -23300,27 +25337,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] + "check": "$.metadata.openid_provider.response_types_supported", + "is present": "true" } ] } @@ -23332,28 +25367,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.openid_provider.revocation_endpoint", + "is present": "true" } ] } @@ -23365,27 +25397,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -23397,27 +25427,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" - ] + "check": "$.metadata.openid_provider.scopes_supported", + "is present": "true" } ] } @@ -23429,27 +25457,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$.metadata.openid_provider.subject_types_supported", + "is present": "true" } ] } @@ -23461,28 +25487,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.openid_provider.token_endpoint", + "is present": "true" } ] } @@ -23494,27 +25517,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "is present": "true" } ] } @@ -23526,28 +25547,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", + "is present": "true" } ] } @@ -23559,27 +25577,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] + "check": "$.metadata.openid_provider.userinfo_endpoint", + "is present": "true" } ] } @@ -23591,27 +25607,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "is present": "true" } ] } @@ -23623,30 +25637,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" - ] - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -23656,30 +25660,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -23689,30 +25683,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -23722,30 +25706,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the token response have Cache-Control set to 'no-store'", + "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] - } - ] + "in": "head", + "check param": "Cache-Control", + "contains": "no-store" } ] } @@ -23755,27 +25729,53 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", - "type": "passive", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$.iss", + "contains": "saved_iss" } ] } @@ -23787,27 +25787,27 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "in": "header", + "check": "$.alg", + "is in": [ + "RS256", + "RS512" ] } ] @@ -23819,28 +25819,30 @@ } }, { - "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "test": { + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -23853,27 +25855,29 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -23886,30 +25890,21 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "jwt check sig": "X_key_OP" } ] } @@ -23919,30 +25914,21 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -23952,27 +25938,21 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -23982,24 +25962,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the AA's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.trust_marks", "is present": "true" } ] @@ -24012,24 +25992,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "check": "$.exp", "is present": "true" } ] @@ -24042,24 +26022,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", + "check": "$.iat", "is present": "true" } ] @@ -24072,24 +26052,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.iss", "is present": "true" } ] @@ -24102,24 +26082,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.jwks", "is present": "true" } ] @@ -24132,24 +26112,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata", "is present": "true" } ] @@ -24162,24 +26142,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.sub", "is present": "true" } ] @@ -24192,24 +26172,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$..metadata.openid_provider.op_policy_uri", "is present": "true" } ] @@ -24222,27 +26202,21 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "message type": "Entity Configuration response AA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -24252,25 +26226,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does entity configuration AA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -24282,27 +26256,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response AA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -24312,27 +26279,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response AA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -24342,25 +26302,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" } ] } @@ -24372,25 +26332,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" } ] } @@ -24402,25 +26362,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -24432,25 +26392,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -24462,25 +26422,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -24492,25 +26452,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -24522,25 +26482,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -24552,25 +26512,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -24582,25 +26542,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" } ] } @@ -24612,25 +26572,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" } ] } @@ -24642,25 +26602,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -24672,27 +26632,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response AA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -24702,27 +26655,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -24732,15 +26678,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -24749,8 +26695,11 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -24762,15 +26711,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -24779,8 +26728,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -24792,15 +26743,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -24809,8 +26760,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -24822,25 +26776,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -24852,25 +26811,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -24882,15 +26846,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -24899,7 +26863,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", "is present": "true" } ] @@ -24912,15 +26876,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -24929,7 +26893,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -24942,15 +26906,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -24959,7 +26923,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", "is present": "true" } ] @@ -24972,15 +26936,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -24989,7 +26953,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -25002,15 +26966,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -25019,7 +26983,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -25032,15 +26996,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -25049,7 +27013,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.oauth_authorization_server.grant_types_supported", "is present": "true" } ] @@ -25062,15 +27026,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -25079,7 +27043,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -25092,15 +27056,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -25109,7 +27073,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.metadata.oauth_authorization_server.issuer", "is present": "true" } ] @@ -25122,15 +27086,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -25139,7 +27103,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "check": "$.metadata.oauth_authorization_server.jwks", "is present": "true" } ] @@ -25152,15 +27116,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -25169,7 +27133,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -25182,15 +27146,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -25199,7 +27163,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "check": "$.metadata.oauth_authorization_server.op_policy_uri", "is present": "true" } ] @@ -25212,15 +27176,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -25229,7 +27193,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "check": "$.metadata.oauth_authorization_server.op_tos_uri", "is present": "true" } ] @@ -25242,15 +27206,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -25259,7 +27223,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -25272,15 +27236,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -25289,7 +27253,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -25302,15 +27266,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -25319,7 +27283,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "check": "$.metadata.oauth_resource.resource", "is present": "true" } ] @@ -25332,21 +27296,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.response_types_supported", + "is present": "true" + } + ] } ] } @@ -25356,21 +27326,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.scopes_supported", + "is present": "true" + } + ] } ] } @@ -25380,21 +27356,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.token_endpoint", + "is present": "true" + } + ] } ] } @@ -25404,60 +27386,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "iss", - "contains": "valid_iss" - } - ] + "in": "payload", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -25469,60 +27416,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "iss", - "contains": "valid_iss" - } - ] + "in": "payload", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } @@ -25534,21 +27446,21 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_AA" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json index 6c6cb99..c2960c0 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", - "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", + "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", "type": "active", "sessions": [ "s1" @@ -22,12 +22,19 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", - "message operations": [ + "message type": "Authentication request", + "decode operations": [ { - "from": "body", - "edit": "(?<=token=)([^&]+)", - "in": "123.123.123" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "header", + "jwt edit": "alg", + "value": "none" + } + ] } ] }, @@ -35,35 +42,45 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check": "Content-Type", - "is": "application/json" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -73,20 +90,27 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "token_type", - "is": "Bearer" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -96,32 +120,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -133,29 +150,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -167,53 +180,55 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", - "type": "active", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "saved_iss" + "check": "$.sub", + "is present": "true" } ] } @@ -225,50 +240,29 @@ }, { "test": { - "name": "Does the OP refuse wrongly signed Authentication Requests", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", - "type": "active", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.authority_hints", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "unauthorized_client" - } - ] } ], "result": "correct flow s1" @@ -276,50 +270,29 @@ }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", - "type": "active", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -327,50 +300,29 @@ }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "header", + "check": "$.alg", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -378,50 +330,29 @@ }, { "test": { - "name": "Does the token response to a token request made with a wrong signature return a Token Error response", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "header", + "check": "$.kid", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -429,50 +360,29 @@ }, { "test": { - "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "header", + "check": "$.typ", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -480,20 +390,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -503,20 +420,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.client_id", + "is present": "true" + } + ] } ] } @@ -526,20 +450,27 @@ }, { "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -549,8 +480,8 @@ }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -558,11 +489,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -572,8 +510,8 @@ }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" @@ -581,11 +519,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -595,25 +540,25 @@ }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_OP" + "check": "$.jti", + "is present": "true" } ] } @@ -625,34 +570,14 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "message operations": [ - { - "from": "url", - "save": "client_id", - "as": "auth_client_id" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", "decode operations": [ { @@ -662,9 +587,8 @@ "checks": [ { "in": "payload", - "check": "client_id", - "is": "auth_client_id", - "use variable": "true" + "check": "$.scope", + "is present": "true" } ] } @@ -676,34 +600,14 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "message operations": [ - { - "from": "url", - "save": "scope", - "as": "auth_scope" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", "decode operations": [ { @@ -713,9 +617,8 @@ "checks": [ { "in": "payload", - "check": "scope", - "is": "auth_scope", - "use variable": "true" + "check": "$.sub", + "is present": "true" } ] } @@ -727,43 +630,27 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] } ] } @@ -773,20 +660,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -796,8 +690,8 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -805,11 +699,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.acr", + "is present": "true" + } + ] } ] } @@ -819,8 +720,8 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" @@ -828,11 +729,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.at_hash", + "is present": "true" + } + ] } ] } @@ -842,20 +750,27 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -865,25 +780,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -895,25 +810,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -925,25 +840,25 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -955,25 +870,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.jti", + "is present": "true" } ] } @@ -985,25 +900,25 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "check": "$.nonce", + "is present": "true" } ] } @@ -1015,25 +930,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -1045,25 +960,46 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", - "type": "passive", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "message operations": [ + { + "from": "url", + "save": "client_id", + "as": "auth_client_id" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"logo_uri\"]})" + "check": "client_id", + "is": "auth_client_id", + "use variable": "true" } ] } @@ -1075,25 +1011,46 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", - "type": "passive", + "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "message operations": [ + { + "from": "url", + "save": "scope", + "as": "auth_scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "scope", + "is": "auth_scope", + "use variable": "true" } ] } @@ -1105,27 +1062,21 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -1135,27 +1086,21 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } @@ -1165,27 +1110,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the Introspection Endpoint Response have the active parameter", + "description": "To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Introspection response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "active" } ] } @@ -1195,27 +1133,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the Introspection Endpoint returns true on active tokens", + "description": "To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Introspection response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "\"active\": true" } ] } @@ -1225,27 +1156,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -1255,8 +1179,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" @@ -1264,18 +1188,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -1285,8 +1202,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" @@ -1294,18 +1211,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -1315,8 +1225,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" @@ -1324,18 +1234,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -1345,8 +1248,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" @@ -1354,18 +1257,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -1375,8 +1271,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" @@ -1384,18 +1280,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -1405,20 +1294,20 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", + "message type": "UserInfo response", "checks": [ { "in": "head", - "check param": "Location", - "contains": "code" + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -1428,85 +1317,16 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check param": "Location", - "contains": "state" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check param": "Location", - "contains": "iss" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the token response have Cache-Control set to 'no-store'", - "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token response", - "checks": [ - { - "in": "head", - "check param": "Cache-Control", - "contains": "no-store" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", @@ -1514,8 +1334,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" } ] } @@ -1527,8 +1347,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1544,8 +1364,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } @@ -1557,8 +1377,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1574,8 +1394,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" } ] } @@ -1587,8 +1407,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -1604,8 +1424,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.sub", + "is": "X_url_OP" } ] } @@ -1617,8 +1437,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -1626,18 +1446,11 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1647,8 +1460,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -1656,18 +1469,11 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1677,27 +1483,20 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.authority_hints", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1707,27 +1506,20 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1737,8 +1529,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" @@ -1746,18 +1538,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1767,1527 +1552,2416 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token response", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.typ", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the client_id parameter", + "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.aud", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.client_id", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", + "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the nonce parameter", + "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the scope parameter", + "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the state parameter", + "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.jti", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.state", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", + "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.scope", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", + "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", + "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", + "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.acr", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token response", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.at_hash", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", + "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.aud", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", + "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", + "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "unsupported_response_type" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", + "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.jti", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token response", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.nonce", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_scope" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.state", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the acr_values parameter", + "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the aud parameter", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the claims parameter", + "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.cty", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the exp parameter", + "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.enc", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iat parameter", + "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iss parameter", + "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the prompt parameter", + "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", + "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the response_type parameter", + "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", - "type": "passive", + "name": "Does the OP refuse an RP without trusted Trust Marks", + "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "jwt from": "payload", + "jwt edit": "$.trust_marks", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", + "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", - "type": "passive", + "name": "Does the OP correctly validate the trust chain of an RP authentication request", + "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] + "jwt from": "payload", + "jwt edit": "$.authority_hints", + "value": "https://www.wrongsite.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_client" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", - "type": "passive", + "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", + "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", + "name": "Does the OP refuse Authentication Request with a wrong redirect URI", + "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", - "type": "passive", + "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", - "type": "passive", + "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.aud[0]", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", - "type": "passive", + "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", - "type": "passive", + "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", - "type": "passive", + "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" - ] - } + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", - "type": "passive", + "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", - "type": "passive", + "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", - "type": "passive", + "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", - "type": "passive", + "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", + "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the request parameter", - "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed", + "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -3301,12 +3975,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "edit operations": [ + "message type": "Revocation request", + "decode operations": [ { - "from": "url", - "value": "", - "edit": "request" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3314,14 +3998,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -3332,8 +4016,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter in the URL", - "description": "An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request)", + "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -3347,12 +4031,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "edit operations": [ + "message type": "Revocation request", + "decode operations": [ { - "from": "url", - "value": "", - "edit": "scope" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3360,14 +4054,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -3378,8 +4072,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with the request parameter that is not a JWT", - "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed", + "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -3393,12 +4087,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "edit operations": [ + "message type": "Revocation request", + "decode operations": [ { - "from": "url", - "value": "example", - "edit": "request" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3406,14 +4110,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -3424,8 +4128,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT", - "description": "The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged", + "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -3439,12 +4143,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "edit operations": [ + "message type": "Revocation request", + "decode operations": [ { - "from": "url", - "value": "openid", - "edit": "scope" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3452,14 +4166,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -3470,11 +4184,11 @@ }, { "test": { - "name": "Does the OP accept introspection requests without the client assertion", - "description": "A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed", + "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -3485,12 +4199,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", - "edit operations": [ - { + "message type": "Revocation request", + "decode operations": [ + { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3498,15 +4222,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } @@ -3516,11 +4240,11 @@ }, { "test": { - "name": "Does the OP accept introspection requests without the client assertion type", - "description": "An introspection request without the client_assertion_type parameter is sent and the response analyzed", + "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -3531,12 +4255,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Revocation request", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3544,7 +4278,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Revocation response", "checks": [ { "in": "head", @@ -3562,11 +4296,11 @@ }, { "test": { - "name": "Does the OP accept introspection requests without the client id", - "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.", + "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -3577,12 +4311,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Revocation request", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3590,15 +4334,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } @@ -3608,11 +4352,11 @@ }, { "test": { - "name": "How does the OP behave when receiving an introspection request without the token", - "description": "An introspection request without a token is sent and the introspection response analyzed", + "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -3623,12 +4367,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Revocation request", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=token=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3636,7 +4390,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Revocation response", "checks": [ { "in": "head", @@ -3654,11 +4408,11 @@ }, { "test": { - "name": "Does the OP accept introspection requests with a wrong client assertion type", - "description": "An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed", + "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -3669,12 +4423,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Revocation request", + "decode operations": [ { "from": "body", - "value": "X_wrong_value", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3682,7 +4446,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Revocation response", "checks": [ { "in": "head", @@ -3700,11 +4464,11 @@ }, { "test": { - "name": "Does the OP verify the client id of the Introspection Request", - "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", + "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -3715,12 +4479,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Token request", + "decode operations": [ { "from": "body", - "value": "https://www.example.com/", - "edit regex": "(?<=client_id=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3728,15 +4502,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } @@ -3746,11 +4520,11 @@ }, { "test": { - "name": "Does the OP verify the parameters of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -3761,12 +4535,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Token request", + "decode operations": [ { "from": "body", - "value": "X_wrong_value", - "edit regex": "(?<=client_assertion=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3774,7 +4558,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", @@ -3792,11 +4576,11 @@ }, { "test": { - "name": "How does the OP behave when receiving an introspection request with a wrong token", - "description": "An introspection request with a token not valid is sent and the introspection response analyzed", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -3807,12 +4591,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Token request", + "decode operations": [ { "from": "body", - "value": "X_not_valid_tkn", - "edit regex": "(?<=token=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3820,7 +4614,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", @@ -3838,8 +4632,8 @@ }, { "test": { - "name": "Does the OP verify the presence of token in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", "type": "active", "sessions": [ "s1" @@ -3853,12 +4647,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Token request", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=token=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3866,7 +4670,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ { "in": "head", @@ -3884,8 +4688,8 @@ }, { "test": { - "name": "Does the OP accept revocation request without the client assertion", - "description": "In order to verify if the OP checks the presence of the client_assertion parameter in a revocation request, such a request is sent without the client_assertion and the OP's response is analyzed", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", "type": "active", "sessions": [ "s1" @@ -3899,28 +4703,38 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Token request", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } @@ -3930,8 +4744,8 @@ }, { "test": { - "name": "Does the OP accept Revocation Requests without the client assertion type", - "description": "To test if an OP verifies the presence of the client assertion type in the Revocation request, a request withiout client assertion type is sent and the response is analyzed.", + "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", "type": "active", "sessions": [ "s1" @@ -3945,12 +4759,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Token request", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -3958,7 +4782,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ { "in": "head", @@ -3976,8 +4800,8 @@ }, { "test": { - "name": "Does the OP accept Revocation Requests without the client id", - "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", "type": "active", "sessions": [ "s1" @@ -3991,12 +4815,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Token request", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -4004,15 +4838,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } @@ -4022,8 +4856,8 @@ }, { "test": { - "name": "Does the OP verify the client assertion type of the Revocation Request", - "description": "To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.", + "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", + "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", "type": "active", "sessions": [ "s1" @@ -4038,11 +4872,11 @@ "from session": "s1", "then": "forward", "message type": "Revocation request", - "edit operations": [ + "message operations": [ { "from": "body", - "value": "urn-ietf", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "edit": "(?<=token=)([^&]+)", + "in": "123.123.123" } ] }, @@ -4054,22 +4888,19 @@ "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client id of the Revocation Request", - "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", + "name": "Does the OP refuse wrongly signed Authentication Requests", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", "type": "active", "sessions": [ "s1" @@ -4083,12 +4914,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Authentication request", + "decode operations": [ { - "from": "body", - "value": "https://www.example.com/", - "edit regex": "(?<=client_id=)([^&]+)" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] } ] }, @@ -4096,29 +4932,29 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", - "check": "invalid_client" + "in": "head", + "check": "unauthorized_client" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the client_assertion parameter return a Token Error response", - "description": "This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.", + "name": "Does the OP verify the signature of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -4129,12 +4965,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Introspection request", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] } ] }, @@ -4142,26 +4983,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the client_assertion_type parameter return a Token Error response", - "description": "This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", + "name": "Does the OP verify the signature of the client assertion in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", "type": "active", "sessions": [ "s1" @@ -4175,12 +5016,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Revocation request", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] } ] }, @@ -4188,7 +5034,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Revocation response", "checks": [ { "in": "head", @@ -4201,13 +5047,13 @@ ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP require the client_id in the token request", - "description": "This test consists in sending a token request without the client_id parameter and analyzing the token response. The response must be a Token Error response.", + "name": "Does the token response to a token request made with a wrong signature return a Token Error response", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -4222,11 +5068,16 @@ "from session": "s1", "then": "forward", "message type": "Token request", - "edit operations": [ + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] } ] }, @@ -4238,22 +5089,22 @@ "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the code parameter return a Token Error response", - "description": "This test consists in sending a token request without the code parameter and analyzing the token response. The response must be a Token Error response.", + "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -4268,11 +5119,16 @@ "from session": "s1", "then": "forward", "message type": "Token request", - "edit operations": [ + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=code=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] } ] }, @@ -4288,65 +5144,614 @@ }, { "in": "body", - "check": "invalid_grant" + "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the code_verifier parameter return a Token Error response", - "description": "This test consists in sending a token request without the code_verifier parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the OP issue refresh tokens even when it is not supposed to", + "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=code_verifier=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_grant" + "check": "refresh_token", + "is present": false } ] } ], - "result": "assert_only" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the token response to a token request made without the grant_type parameter return a Token Error response", - "description": "This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=id_token: \")([^\"]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=id_token: \")([^\"]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP refuse Authentication Requests without the request parameter", + "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], @@ -4359,12 +5764,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Authentication request", "edit operations": [ { - "from": "body", + "from": "url", "value": "", - "edit regex": "(?<=grant_type=)([^&]+)" + "edit": "request" } ] }, @@ -4372,14 +5777,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", + "in": "head", "check": "invalid_request" } ] @@ -4390,8 +5795,8 @@ }, { "test": { - "name": "Does the token response to a token request made with an incorrect client_assertion_type parameter return a Token Error response", - "description": "This test consists in sending a token request with a wrong client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", + "name": "Does the OP refuse Authentication Requests without the scope parameter in the URL", + "description": "An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request)", "type": "active", "sessions": [ "s1" @@ -4405,12 +5810,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Authentication request", "edit operations": [ { - "from": "body", - "value": "urn-aert", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "from": "url", + "value": "", + "edit": "scope" } ] }, @@ -4418,14 +5823,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", + "in": "head", "check": "invalid_request" } ] @@ -4436,8 +5841,8 @@ }, { "test": { - "name": "Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response", - "description": "This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.", + "name": "Does the OP refuse Authentication Requests with the request parameter that is not a JWT", + "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed", "type": "active", "sessions": [ "s1" @@ -4451,12 +5856,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Authentication request", "edit operations": [ { - "from": "body", - "value": "X_wrong_code", - "edit regex": "(?<=code=)([^&]+)" + "from": "url", + "value": "example", + "edit": "request" } ] }, @@ -4464,15 +5869,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", - "check": "invalid_grant" + "in": "head", + "check": "invalid_request" } ] } @@ -4482,8 +5887,8 @@ }, { "test": { - "name": "Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response", - "description": "This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.", + "name": "Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT", + "description": "The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged", "type": "active", "sessions": [ "s1" @@ -4497,12 +5902,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Authentication request", "edit operations": [ { - "from": "body", - "value": "X_wrong_code", - "edit regex": "(?<=code_verifier=)([^&]+)" + "from": "url", + "value": "openid", + "edit": "scope" } ] }, @@ -4510,14 +5915,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", + "in": "head", "check": "invalid_request" } ] @@ -4528,11 +5933,11 @@ }, { "test": { - "name": "Does the OP checks that the token request contains the grant_type parameter set correctly", - "description": "In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response", + "name": "Does the OP accept introspection requests without the client assertion", + "description": "A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -4543,12 +5948,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Introspection request", "edit operations": [ { "from": "body", - "value": "example", - "edit regex": "(?<=grant_type=)([^&]+)" + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" } ] }, @@ -4556,15 +5961,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { "in": "body", - "check": "unsupported_grant_type" + "check": "invalid_client" } ] } @@ -4574,11 +5979,11 @@ }, { "test": { - "name": "Does the OP check the client_id in the request", - "description": "In this test the client_id parameter in the URL of the token request is removed and the response analyzed", + "name": "Does the OP accept introspection requests without the client assertion type", + "description": "An introspection request without the client_assertion_type parameter is sent and the response analyzed", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -4589,12 +5994,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Introspection request", "edit operations": [ { "from": "body", "value": "", - "edit regex": "(?<=client_id=)([^&]+)" + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] }, @@ -4602,7 +6007,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Introspection response", "checks": [ { "in": "head", @@ -4620,11 +6025,11 @@ }, { "test": { - "name": "How does the OP behave when the token in the userinfo request is missing", - "description": "A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed", + "name": "Does the OP accept introspection requests without the client id", + "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -4635,12 +6040,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "UserInfo request", + "message type": "Introspection request", "edit operations": [ { - "from": "head", + "from": "body", "value": "", - "edit": "Authorization" + "edit regex": "(?<=client_id=)([^&]+)" } ] }, @@ -4648,15 +6053,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "UserInfo response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { "in": "body", - "check": "invalid_request" + "check": "invalid_client" } ] } @@ -4666,11 +6071,11 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", + "name": "How does the OP behave when receiving an introspection request without the token", + "description": "An introspection request without a token is sent and the introspection response analyzed", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -4681,22 +6086,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=token=)([^&]+)" } ] }, @@ -4704,14 +6099,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -4722,11 +6117,11 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the client_id parameter", - "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "name": "Does the OP accept introspection requests with a wrong client assertion type", + "description": "An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -4737,22 +6132,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "X_wrong_value", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] }, @@ -4760,14 +6145,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -4778,11 +6163,11 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "name": "Does the OP verify the client id of the Introspection Request", + "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -4793,22 +6178,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "https://www.example.com/", + "edit regex": "(?<=client_id=)([^&]+)" } ] }, @@ -4816,15 +6191,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_client" } ] } @@ -4834,37 +6209,27 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", - "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", + "name": "Does the OP verify the parameters of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { "session": "s1", "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "X_wrong_value", + "edit regex": "(?<=client_assertion=)([^&]+)" } ] }, @@ -4872,14 +6237,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -4890,11 +6255,11 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the nonce parameter", - "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", + "name": "How does the OP behave when receiving an introspection request with a wrong token", + "description": "An introspection request with a token not valid is sent and the introspection response analyzed", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -4905,22 +6270,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "X_not_valid_tkn", + "edit regex": "(?<=token=)([^&]+)" } ] }, @@ -4928,14 +6283,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -4946,8 +6301,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter", - "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", + "name": "Does the OP verify the presence of token in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.", "type": "active", "sessions": [ "s1" @@ -4961,22 +6316,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=token=)([^&]+)" } ] }, @@ -4984,14 +6329,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -5002,8 +6347,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the state parameter", - "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", + "name": "Does the OP accept revocation request without the client assertion", + "description": "In order to verify if the OP checks the presence of the client_assertion parameter in a revocation request, such a request is sent without the client_assertion and the OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -5017,22 +6362,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" } ] }, @@ -5040,15 +6375,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_client" } ] } @@ -5058,8 +6393,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", - "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", + "name": "Does the OP accept Revocation Requests without the client assertion type", + "description": "To test if an OP verifies the presence of the client assertion type in the Revocation request, a request withiout client assertion type is sent and the response is analyzed.", "type": "active", "sessions": [ "s1" @@ -5073,22 +6408,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "example" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] }, @@ -5096,14 +6421,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -5114,8 +6439,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", - "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", + "name": "Does the OP accept Revocation Requests without the client id", + "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.", "type": "active", "sessions": [ "s1" @@ -5129,22 +6454,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "example" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" } ] }, @@ -5152,15 +6467,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_client" } ] } @@ -5170,8 +6485,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", - "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", + "name": "Does the OP verify the client assertion type of the Revocation Request", + "description": "To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.", "type": "active", "sessions": [ "s1" @@ -5185,22 +6500,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "example" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "urn-ietf", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] }, @@ -5208,14 +6513,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -5226,8 +6531,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", + "name": "Does the OP verify the client id of the Revocation Request", + "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", "type": "active", "sessions": [ "s1" @@ -5241,22 +6546,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "example" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "https://www.example.com/", + "edit regex": "(?<=client_id=)([^&]+)" } ] }, @@ -5264,15 +6559,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_client" } ] } @@ -5282,8 +6577,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", - "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", + "name": "Does the token response to a token request made without the client_assertion parameter return a Token Error response", + "description": "This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -5297,22 +6592,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681723540" - }, - { - "jwt sign": "X_key_RP" - } - ] + "message type": "Token request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" } ] }, @@ -5320,15 +6605,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_client" } ] } @@ -5338,8 +6623,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", - "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", + "name": "Does the token response to a token request made without the client_assertion_type parameter return a Token Error response", + "description": "This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -5353,22 +6638,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681723540" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] }, @@ -5376,14 +6651,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -5394,8 +6669,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "name": "Does the OP require the client_id in the token request", + "description": "This test consists in sending a token request without the client_id parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -5409,22 +6684,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "19az" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" } ] }, @@ -5432,15 +6697,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_client" } ] } @@ -5450,8 +6715,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", - "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", + "name": "Does the token response to a token request made without the code parameter return a Token Error response", + "description": "This test consists in sending a token request without the code parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -5465,22 +6730,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "example" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=code=)([^&]+)" } ] }, @@ -5488,15 +6743,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_grant" } ] } @@ -5506,8 +6761,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", - "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", + "name": "Does the token response to a token request made without the code_verifier parameter return a Token Error response", + "description": "This test consists in sending a token request without the code_verifier parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -5521,22 +6776,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "example" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=code_verifier=)([^&]+)" } ] }, @@ -5544,15 +6789,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", - "check": "unsupported_response_type" + "in": "body", + "check": "invalid_grant" } ] } @@ -5562,8 +6807,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", - "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", + "name": "Does the token response to a token request made without the grant_type parameter return a Token Error response", + "description": "This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -5577,22 +6822,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "example" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=grant_type=)([^&]+)" } ] }, @@ -5600,15 +6835,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", - "check": "invalid_scope" + "in": "body", + "check": "invalid_request" } ] } @@ -5618,8 +6853,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "name": "Does the token response to a token request made with an incorrect client_assertion_type parameter return a Token Error response", + "description": "This test consists in sending a token request with a wrong client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -5633,22 +6868,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "19az" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "urn-aert", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] }, @@ -5656,14 +6881,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -5674,8 +6899,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the acr_values parameter", - "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", + "name": "Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response", + "description": "This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -5689,22 +6914,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "X_wrong_code", + "edit regex": "(?<=code=)([^&]+)" } ] }, @@ -5712,15 +6927,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_grant" } ] } @@ -5730,8 +6945,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the aud parameter", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", + "name": "Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response", + "description": "This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -5745,22 +6960,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "X_wrong_code", + "edit regex": "(?<=code_verifier=)([^&]+)" } ] }, @@ -5768,14 +6973,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -5786,8 +6991,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the claims parameter", - "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", + "name": "Does the OP checks that the token request contains the grant_type parameter set correctly", + "description": "In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response", "type": "active", "sessions": [ "s1" @@ -5801,22 +7006,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "example", + "edit regex": "(?<=grant_type=)([^&]+)" } ] }, @@ -5824,15 +7019,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "unsupported_grant_type" } ] } @@ -5842,8 +7037,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the exp parameter", - "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", + "name": "Does the OP check the client_id in the request", + "description": "In this test the client_id parameter in the URL of the token request is removed and the response analyzed", "type": "active", "sessions": [ "s1" @@ -5857,22 +7052,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" } ] }, @@ -5880,14 +7065,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -5898,8 +7083,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iat parameter", - "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", + "name": "How does the OP behave when the token in the userinfo request is missing", + "description": "A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed", "type": "active", "sessions": [ "s1" @@ -5913,22 +7098,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "UserInfo request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "from": "head", + "value": "", + "edit": "Authorization" } ] }, @@ -5936,14 +7111,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "UserInfo response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -5954,2036 +7129,1305 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iss parameter", - "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "in": "head", + "check": "Content-Type", + "is": "application/json" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "in": "body", + "check": "token_type", + "is": "Bearer" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Authentication response", + "checks": [ { "in": "head", - "check": "invalid_request" + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the prompt parameter", - "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", - "type": "active", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, + "message type": "Entity Configuration response OP", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", - "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the response_type parameter", - "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "UserInfo response", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "body", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse an RP without trusted Trust Marks", - "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", - "type": "active", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.trust_marks", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", - "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", - "type": "active", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly validate the trust chain of an RP authentication request", - "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", - "type": "active", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.authority_hints", - "value": "https://www.wrongsite.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_client" + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", - "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", - "type": "active", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "header", + "check": "$.cty", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Request with a wrong redirect URI", - "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", - "type": "active", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "header", + "check": "$.enc", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", - "type": "active", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "header", + "check": "$.kid", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", - "type": "active", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud[0]", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", - "type": "active", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", - "type": "active", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", - "type": "active", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", - "type": "active", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", - "type": "active", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", - "type": "active", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", - "type": "active", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", - "type": "active", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", - "type": "active", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "https://www.example.com" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", - "type": "active", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681716340" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", - "type": "active", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681716340" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", - "type": "active", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "https://www.example.com" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", - "type": "active", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", - "type": "active", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the Introspection Endpoint Response have the active parameter", - "description": "To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "active" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -7993,20 +8437,28 @@ }, { "test": { - "name": "Does the Introspection Endpoint returns true on active tokens", - "description": "To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "\"active\": true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.cty", + "is": "JWT" + } + ] } ] } @@ -8016,20 +8468,33 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -8039,20 +8504,27 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is present": "true" + } + ] } ] } @@ -8062,20 +8534,27 @@ }, { "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.jwks", + "is present": "true" + } + ] } ] } @@ -8085,20 +8564,27 @@ }, { "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "expires_in" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" + } + ] } ] } @@ -8108,20 +8594,27 @@ }, { "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "id_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported", + "is present": "true" + } + ] } ] } @@ -8131,20 +8624,27 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_endpoint", + "is present": "true" + } + ] } ] } @@ -8154,20 +8654,27 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "is present": "true" + } + ] } ] } @@ -8177,28 +8684,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RS256", - "RS512" - ] + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -8210,30 +8714,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -8245,30 +8744,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported", + "is present": "true" } ] } @@ -8280,8 +8774,8 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8297,7 +8791,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -8310,8 +8804,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -8327,7 +8821,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.jwks", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", "is present": "true" } ] @@ -8340,8 +8834,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -8357,7 +8851,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", "is present": "true" } ] @@ -8370,8 +8864,8 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -8387,7 +8881,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", "is present": "true" } ] @@ -8400,8 +8894,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -8417,7 +8911,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", + "check": "$.metadata.openid_provider.introspection_endpoint", "is present": "true" } ] @@ -8430,8 +8924,8 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8447,7 +8941,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -8460,8 +8954,8 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8477,7 +8971,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -8490,8 +8984,8 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8507,7 +9001,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -8520,8 +9014,8 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -8537,7 +9031,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", "is present": "true" } ] @@ -8550,8 +9044,8 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -8567,7 +9061,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -8580,8 +9074,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8597,7 +9091,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -8610,8 +9104,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8627,7 +9121,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", "is present": "true" } ] @@ -8640,8 +9134,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8657,7 +9151,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "check": "$.metadata.openid_provider.claims_supported", "is present": "true" } ] @@ -8670,8 +9164,8 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8687,7 +9181,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", + "check": "$.metadata.openid_provider.claims_parameter_supported", "is present": "true" } ] @@ -8700,8 +9194,8 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8717,7 +9211,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -8730,8 +9224,8 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8747,7 +9241,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", "is present": "true" } ] @@ -8760,8 +9254,8 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8777,7 +9271,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata.openid_provider.client_registration_types_supported", "is present": "true" } ] @@ -8789,9 +9283,9 @@ } }, { - "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "test": { + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8807,7 +9301,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", "is present": "true" } ] @@ -9150,53 +9644,66 @@ }, { "test": { - "name": "Does the OP issue refresh tokens even when it is not supposed to", - "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication response", "checks": [ { - "in": "body", - "check": "refresh_token", - "is present": false + "in": "head", + "check param": "Location", + "contains": "code" } ] } ], - "result": [ + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "type": "passive", + "sessions": [ "s1" - ] + ], + "operations": [ + { + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check param": "Location", + "contains": "state" + } + ] + } + ], + "result": "correct flow s1" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.cty", - "is": "JWT" - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -9206,21 +9713,78 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the token response have Cache-Control set to 'no-store'", + "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { + "message type": "Token response", + "checks": [ + { + "in": "head", + "check param": "Cache-Control", + "contains": "no-store" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_OP" + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "saved_iss" + } + ] } ] } @@ -9230,8 +9794,8 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -9244,7 +9808,16 @@ "from": "body", "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "header", + "check": "$.alg", + "is in": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -9254,8 +9827,8 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -9266,9 +9839,20 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -9278,74 +9862,80 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", - "type": "active", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "header", - "jwt edit": "alg", - "value": "none" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_OP" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "jwt check sig": "X_key_core_OP" } ] } @@ -9355,21 +9945,21 @@ }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "jwt check sig": "X_key_core_OP" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json index d2241d7..53d10cd 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json @@ -7,20 +7,27 @@ "tests": [ { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check": "Content-Type", - "is": "application/json" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -30,20 +37,27 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "token_type", - "is": "Bearer" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -53,32 +67,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -90,29 +97,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -124,8 +127,8 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -133,11 +136,18 @@ "operations": [ { "message type": "Entity Configuration response OP", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] } ] } @@ -147,8 +157,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -156,11 +166,18 @@ "operations": [ { "message type": "Entity Configuration response OP", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -170,20 +187,27 @@ }, { "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.authority_hints", + "is present": "true" + } + ] } ] } @@ -193,8 +217,368 @@ }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.typ", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.client_id", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.scope", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" @@ -202,11 +586,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] } ] } @@ -216,8 +607,8 @@ }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -225,11 +616,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -239,25 +637,25 @@ }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_OP" + "check": "$.acr", + "is present": "true" } ] } @@ -269,20 +667,27 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.at_hash", + "is present": "true" + } + ] } ] } @@ -292,20 +697,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -315,20 +727,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -338,8 +757,8 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -347,11 +766,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -361,8 +787,8 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -370,11 +796,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -384,20 +817,27 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } @@ -407,25 +847,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.nonce", + "is present": "true" } ] } @@ -437,25 +877,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -467,8 +907,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -476,18 +916,12 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -497,27 +931,21 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" - } - ] + "in": "head", + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } @@ -527,27 +955,20 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -557,27 +978,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -587,27 +1001,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"logo_uri\"]})" - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -617,27 +1024,20 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -647,8 +1047,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" @@ -656,18 +1056,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -677,8 +1070,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" @@ -686,18 +1079,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -707,27 +1093,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -737,25 +1116,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" } ] } @@ -767,25 +1146,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } @@ -797,25 +1176,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" } ] } @@ -827,25 +1206,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.sub", + "is": "X_url_OP" } ] } @@ -857,27 +1236,20 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -887,27 +1259,20 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -917,27 +1282,20 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Revocation response", + "checks": [ { - "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -947,20 +1305,20 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", + "message type": "Token response", "checks": [ { "in": "head", - "check param": "Location", - "contains": "code" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -970,20 +1328,20 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", + "message type": "Token response", "checks": [ { "in": "head", - "check param": "Location", - "contains": "state" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -993,20 +1351,27 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -1016,8 +1381,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1033,8 +1398,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1046,8 +1411,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -1063,8 +1428,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1076,8 +1441,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -1088,13 +1453,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1106,8 +1471,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" @@ -1123,8 +1488,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" } ] } @@ -1136,8 +1501,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" @@ -1148,13 +1513,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" } ] } @@ -1166,8 +1531,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -1178,13 +1543,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1196,8 +1561,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1213,8 +1578,8 @@ "checks": [ { "in": "payload", - "check": "$.authority_hints", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } @@ -1226,8 +1591,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -1243,8 +1608,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -1256,8 +1621,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" @@ -1272,9 +1637,9 @@ "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -1286,8 +1651,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", "type": "passive", "sessions": [ "s1" @@ -1302,9 +1667,9 @@ "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -1316,8 +1681,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" @@ -1332,9 +1697,9 @@ "type": "jwt", "checks": [ { - "in": "header", - "check": "$.typ", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1346,8 +1711,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" @@ -1363,8 +1728,8 @@ "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1376,8 +1741,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -1393,8 +1758,8 @@ "checks": [ { "in": "payload", - "check": "$.client_id", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -1406,8 +1771,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" @@ -1423,8 +1788,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -1436,8 +1801,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" @@ -1448,13 +1813,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } @@ -1466,8 +1831,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", "type": "passive", "sessions": [ "s1" @@ -1478,13 +1843,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } @@ -1496,8 +1861,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -1508,13 +1873,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1526,8 +1891,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -1538,13 +1903,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1556,27 +1921,112 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "checks": [ + { + "in": "head", + "check": "Content-Type", + "is": "application/json" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "checks": [ + { + "in": "body", + "check": "token_type", + "is": "Bearer" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1586,8 +2036,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", "type": "passive", "sessions": [ "s1" @@ -1595,18 +2045,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is present": "true" - } - ] + "in": "body", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -1616,8 +2059,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", "type": "passive", "sessions": [ "s1" @@ -1625,18 +2068,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.kid", - "is present": "true" - } - ] + "in": "body", + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -1646,27 +2082,20 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.acr", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } @@ -1676,25 +2105,32 @@ }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.at_hash", - "is present": "true" + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] } ] } @@ -1706,25 +2142,29 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.aud", - "is present": "true" + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -1736,24 +2176,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.exp", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -1766,24 +2207,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iat", + "in": "header", + "check": "$.cty", "is present": "true" } ] @@ -1796,24 +2238,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iss", + "in": "header", + "check": "$.enc", "is present": "true" } ] @@ -1826,24 +2269,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.jti", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -1856,25 +2300,29 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", - "is present": "true" + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -1886,25 +2334,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] } ] } @@ -1916,30 +2366,27 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" ] } ] @@ -1952,26 +2399,28 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -1983,26 +2432,28 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.cty", - "is present": "true" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -2014,26 +2465,28 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", - "is present": "true" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -2045,26 +2498,27 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } @@ -2076,8 +2530,8 @@ }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -2088,14 +2542,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -2108,8 +2563,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -2120,17 +2575,14 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" ] } ] @@ -2143,8 +2595,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -2155,17 +2607,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -2178,8 +2628,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -2190,14 +2640,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -2210,8 +2661,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2222,17 +2673,14 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" ] } ] @@ -2245,8 +2693,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" @@ -2262,11 +2710,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", + "check": "$.metadata.openid_provider.response_modes_supported[0]", "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "form_post", + "query" ] } ] @@ -2279,8 +2726,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" @@ -2296,9 +2743,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "check": "$.metadata.openid_provider.response_types_supported[0]", "is in": [ - "S256" + "code" ] } ] @@ -2311,8 +2758,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" @@ -2328,10 +2775,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", "is in": [ - "refresh_token", - "authorization_code" + "private_key_jwt" ] } ] @@ -2344,8 +2790,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" @@ -2361,10 +2807,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "check": "$.metadata.openid_provider.scopes_supported[0]", "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" + "openid", + "offline_access", + "profile", + "email" ] } ] @@ -2377,8 +2825,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" @@ -2394,10 +2842,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "check": "$.metadata.openid_provider.subject_types_supported[0]", "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "pairwise" ] } ] @@ -2410,8 +2857,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -2427,10 +2874,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", "is in": [ - "RS256", - "RS512" + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -2443,8 +2890,8 @@ }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -2460,9 +2907,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", "is in": [ - "X_url_OP" + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -2475,8 +2923,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -2492,7 +2940,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", "is in": [ "RS256", "RS512" @@ -2508,27 +2956,28 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", + "check": "$.acr", "is in": [ - "form_post", - "query" + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" ] } ] @@ -2541,8 +2990,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -2553,14 +3002,14 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" ] } ] @@ -2573,8 +3022,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -2585,14 +3034,17 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -2605,8 +3057,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -2617,17 +3069,17 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -2640,8 +3092,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -2652,14 +3104,17 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -2672,8 +3127,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -2684,15 +3139,17 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -2705,8 +3162,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -2717,15 +3174,14 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" ] } ] @@ -2738,8 +3194,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -2750,15 +3206,17 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -2771,29 +3229,26 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "in": "header", + "check": "$.cty", + "is": "JWT" } ] } @@ -2805,20 +3260,33 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -2828,20 +3296,27 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is present": "true" + } + ] } ] } @@ -2851,20 +3326,27 @@ }, { "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.jwks", + "is present": "true" + } + ] } ] } @@ -2874,20 +3356,27 @@ }, { "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "expires_in" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" + } + ] } ] } @@ -2897,20 +3386,27 @@ }, { "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "id_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported", + "is present": "true" + } + ] } ] } @@ -2920,20 +3416,27 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_endpoint", + "is present": "true" + } + ] } ] } @@ -2943,20 +3446,27 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "is present": "true" + } + ] } ] } @@ -2966,28 +3476,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RS256", - "RS512" - ] + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -2999,30 +3506,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -3034,30 +3536,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported", + "is present": "true" } ] } @@ -3069,8 +3566,8 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3086,7 +3583,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -3099,8 +3596,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3116,7 +3613,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.jwks", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", "is present": "true" } ] @@ -3129,8 +3626,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3146,7 +3643,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", "is present": "true" } ] @@ -3159,8 +3656,8 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3176,7 +3673,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", "is present": "true" } ] @@ -3189,8 +3686,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -3206,7 +3703,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", + "check": "$.metadata.openid_provider.introspection_endpoint", "is present": "true" } ] @@ -3219,8 +3716,8 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3236,7 +3733,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -3249,8 +3746,8 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3266,7 +3763,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -3279,8 +3776,8 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3296,7 +3793,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -3309,8 +3806,8 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3326,7 +3823,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", "is present": "true" } ] @@ -3339,8 +3836,8 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3356,7 +3853,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -3369,8 +3866,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3386,7 +3883,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -3399,8 +3896,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3416,7 +3913,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", "is present": "true" } ] @@ -3429,8 +3926,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3446,7 +3943,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "check": "$.metadata.openid_provider.claims_supported", "is present": "true" } ] @@ -3459,8 +3956,8 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3476,7 +3973,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", + "check": "$.metadata.openid_provider.claims_parameter_supported", "is present": "true" } ] @@ -3489,8 +3986,8 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3506,7 +4003,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -3519,8 +4016,8 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3536,7 +4033,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", "is present": "true" } ] @@ -3549,8 +4046,8 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3566,7 +4063,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata.openid_provider.client_registration_types_supported", "is present": "true" } ] @@ -3579,8 +4076,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3596,7 +4093,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", "is present": "true" } ] @@ -3939,26 +4436,97 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check param": "Location", + "contains": "code" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check param": "Location", + "contains": "state" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check param": "Location", + "contains": "iss" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "header", - "check": "$.cty", - "is": "JWT" + "check": "$.alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -3970,21 +4538,32 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_OP" + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -3994,8 +4573,8 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -4006,9 +4585,20 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -4018,21 +4608,21 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "jwt check sig": "X_key_OP" } ] } @@ -4042,21 +4632,21 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "jwt check sig": "X_key_core_OP" } ] } @@ -4066,21 +4656,21 @@ }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "jwt check sig": "X_key_core_OP" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported-value.json new file mode 100644 index 0000000..3fb4e7e --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported-value.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported.json new file mode 100644 index 0000000..ca64f14 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-claims_parameter_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-claims_parameter_supported-value.json new file mode 100644 index 0000000..25bc205 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-claims_parameter_supported-value.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-claims_parameter_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-claims_parameter_supported.json new file mode 100644 index 0000000..4b9b3d1 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-claims_parameter_supported.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-claims_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-claims_supported.json new file mode 100644 index 0000000..57aff11 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-claims_supported.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.claims_supported", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-client_registration_types_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-client_registration_types_supported-value.json new file mode 100644 index 0000000..029430d --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-client_registration_types_supported-value.json @@ -0,0 +1,41 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-client_registration_types_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-client_registration_types_supported.json new file mode 100644 index 0000000..6f56dbe --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-client_registration_types_supported.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-logo_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-logo_uri-type.json index a644d7f..42fd48d 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-logo_uri-type.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-logo_uri-type.json @@ -25,7 +25,7 @@ { "in": "payload", "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"logo_uri\"]})" + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_methods_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_methods_supported-value.json new file mode 100644 index 0000000..8d47bd4 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_methods_supported-value.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_methods_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_methods_supported.json new file mode 100644 index 0000000..82e7eec --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_methods_supported.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported-not_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported-not_supported.json new file mode 100644 index 0000000..4ef43e9 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported-not_supported.json @@ -0,0 +1,44 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported-supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported-supported.json new file mode 100644 index 0000000..f34adaf --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported-supported.json @@ -0,0 +1,42 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported.json new file mode 100644 index 0000000..cdfd6b5 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_parameter_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_parameter_supported-value.json new file mode 100644 index 0000000..65ac2a0 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_parameter_supported-value.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_parameter_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_parameter_supported.json new file mode 100644 index 0000000..c102512 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-request_parameter_supported.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported-value.json new file mode 100644 index 0000000..159b4aa --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported-value.json @@ -0,0 +1,41 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported.json new file mode 100644 index 0000000..83480f1 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-not_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-not_supported.json new file mode 100644 index 0000000..1de7c21 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-not_supported.json @@ -0,0 +1,44 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-supported.json new file mode 100644 index 0000000..ccb144f --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-supported.json @@ -0,0 +1,42 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported.json new file mode 100644 index 0000000..ad09e2c --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json index 04d9176..4dd45a3 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json @@ -7,20 +7,1788 @@ "tests": [ { "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA SA", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.constraints", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_mark_issuers", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.constraints", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.constraints", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -30,20 +1798,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_url_RP" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -53,20 +1828,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -76,20 +1858,27 @@ }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" + } + ] } ] } @@ -99,20 +1888,27 @@ }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_https_RP" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -122,20 +1918,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } @@ -145,20 +1948,134 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", "checks": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration TA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is": "X_url_TA" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -168,20 +2085,20 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response TA", "checks": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -191,20 +2108,28 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" + } + ] } ] } @@ -214,20 +2139,28 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" + } + ] } ] } @@ -237,15 +2170,15 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -254,8 +2187,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_RP" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -267,20 +2200,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -290,20 +2230,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] } ] } @@ -313,20 +2260,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] } ] } @@ -336,20 +2290,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] } ] } @@ -359,20 +2320,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + } + ] } ] } @@ -382,20 +2350,27 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + } + ] } ] } @@ -405,20 +2380,27 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -428,20 +2410,27 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + } + ] } ] } @@ -451,25 +2440,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } @@ -481,25 +2470,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -511,15 +2500,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -528,8 +2517,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -541,15 +2530,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -558,8 +2547,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -571,15 +2560,15 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -588,8 +2577,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -601,25 +2590,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -631,25 +2620,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -661,25 +2650,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -691,25 +2680,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -721,25 +2710,25 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -751,15 +2740,15 @@ }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -768,8 +2757,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -781,25 +2770,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -811,25 +2800,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -841,25 +2830,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -871,25 +2860,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -901,25 +2890,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -931,25 +2920,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -961,25 +2950,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -991,25 +2980,25 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA SA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } @@ -1021,27 +3010,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1051,27 +3033,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.nonce", - "is present": "true" - } - ] + "message type": "Entity Listing response", + "checks": [ + { + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1081,27 +3056,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Entity Statement response TA OP", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.prompt", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1111,27 +3079,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Entity Statement response TA RP", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.redirect_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1141,27 +3102,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.response_type", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1171,27 +3125,20 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Fetch Entity Statement response TA RP", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.scope", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1201,27 +3148,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Public Keys History response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.state", - "is present": "true" - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1231,27 +3171,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.ui_locales", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1261,25 +3194,27 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1291,15 +3226,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1308,8 +3243,13 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1321,15 +3261,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1338,8 +3278,13 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1351,15 +3296,15 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1368,8 +3313,10 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1381,15 +3328,15 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1398,8 +3345,13 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1411,15 +3363,15 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1428,8 +3380,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1441,15 +3398,15 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -1458,8 +3415,10 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1471,15 +3430,15 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -1488,8 +3447,13 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1501,25 +3465,27 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1531,25 +3497,30 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1561,25 +3532,27 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1591,25 +3564,30 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1621,25 +3599,27 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1651,25 +3631,30 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1681,27 +3666,25 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -1713,15 +3696,15 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1730,10 +3713,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -1745,15 +3726,15 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1762,11 +3743,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -1778,15 +3756,15 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1795,11 +3773,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -1811,15 +3786,15 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1828,11 +3803,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -1844,15 +3816,15 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1861,11 +3833,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -1877,15 +3846,15 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1894,10 +3863,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -1909,15 +3876,15 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1926,11 +3893,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -1942,15 +3906,15 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1959,11 +3923,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -1975,15 +3936,15 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1992,11 +3953,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.constraints.max_path_length", + "is present": "true" } ] } @@ -2008,15 +3966,15 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2025,10 +3983,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" - ] + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } @@ -2040,20 +3996,27 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "is present": "true" + } + ] } ] } @@ -2063,20 +4026,27 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ - { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "is present": "true" + } + ] } ] } @@ -2086,20 +4056,27 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -2109,20 +4086,27 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -2132,20 +4116,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -2155,20 +4146,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "is present": "true" + } + ] } ] } @@ -2178,20 +4176,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "is present": "true" + } + ] } ] } @@ -2201,20 +4206,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "is present": "true" + } + ] } ] } @@ -2224,20 +4236,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", + "is present": "true" + } + ] } ] } @@ -2247,20 +4266,27 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -2270,20 +4296,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -2293,20 +4326,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -2316,20 +4356,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -2339,20 +4386,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "is present": "true" + } + ] } ] } @@ -2362,20 +4416,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -2385,20 +4446,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is present": "true" + } + ] } ] } @@ -2408,20 +4476,27 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -2431,20 +4506,27 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" + } + ] } ] } @@ -2454,20 +4536,27 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is present": "true" + } + ] } ] } @@ -2477,20 +4566,27 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "grant_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -2500,20 +4596,27 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is present": "true" + } + ] } ] } @@ -2523,20 +4626,27 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -2546,33 +4656,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -2584,28 +4686,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", - "is in": [ - "consent", - "consent login" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is present": "true" } ] } @@ -2617,32 +4716,25 @@ }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA SA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" - ] + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is present": "true" } ] } @@ -2654,30 +4746,25 @@ }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA SA", "decode operations": [ - { - "from": "url", - "decode param": "request", + { + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" } ] } @@ -2689,15 +4776,15 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -2706,7 +4793,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -2719,15 +4806,15 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -2736,7 +4823,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -2749,15 +4836,15 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -2766,7 +4853,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -2779,15 +4866,15 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -2796,7 +4883,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -2809,15 +4896,15 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -2826,7 +4913,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -2839,15 +4926,15 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -2856,7 +4943,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -2869,15 +4956,15 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -2886,7 +4973,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -2899,25 +4986,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -2929,25 +5023,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -2959,25 +5060,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -2989,25 +5097,32 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -3019,25 +5134,32 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } + ] } ] } @@ -3049,25 +5171,32 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -3079,25 +5208,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -3109,25 +5245,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -3139,25 +5282,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -3169,25 +5319,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -3199,25 +5356,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -3229,21 +5393,34 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_RP" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] + } + ] } ] } @@ -3253,21 +5430,34 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "jwt check sig": "X_key_core_RP" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] + } + ] } ] } @@ -3277,22 +5467,33 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] + } ] } ] @@ -3303,29 +5504,31 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -3338,26 +5541,31 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -3370,29 +5578,31 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -3405,21 +5615,34 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] + } + ] } ] } @@ -3429,20 +5652,34 @@ }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check": "Content-Type", - "is": "application/json" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] + } + ] } ] } @@ -3452,20 +5689,34 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check": "token_type", - "is": "Bearer" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] + } + ] } ] } @@ -3475,31 +5726,31 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -3512,28 +5763,31 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -3546,20 +5800,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] + } + ] } ] } @@ -3569,20 +5837,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] + } + ] } ] } @@ -3592,20 +5874,34 @@ }, { "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] + } + ] } ] } @@ -3615,20 +5911,34 @@ }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] + } + ] } ] } @@ -3638,20 +5948,34 @@ }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] + } + ] } ] } @@ -3661,25 +5985,32 @@ }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_OP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -3691,20 +6022,34 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] + } + ] } ] } @@ -3714,20 +6059,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] + } + ] } ] } @@ -3737,66 +6096,115 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] + } + ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] + } + ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", + "is subset of": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] + } + ] } ] } @@ -3806,20 +6214,29 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is subset of": [ + "S256" + ] + } + ] } ] } @@ -3829,15 +6246,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -3846,8 +6263,11 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", + "is subset of": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -3859,15 +6279,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -3876,8 +6296,11 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -3889,15 +6312,15 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -3906,8 +6329,11 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -3919,25 +6345,28 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -3949,15 +6378,15 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -3966,8 +6395,11 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" + ] } ] } @@ -3979,25 +6411,27 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" + ] } ] } @@ -4009,25 +6443,27 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -4039,15 +6475,15 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4056,8 +6492,13 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -4069,25 +6510,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" + ] } ] } @@ -4099,25 +6542,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -4129,25 +6574,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -4159,25 +6607,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -4189,25 +6640,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -4219,25 +6673,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -4249,25 +6706,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -4279,25 +6738,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -4309,25 +6771,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -4339,25 +6803,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -4369,20 +6836,29 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "code" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] + } + ] } ] } @@ -4392,20 +6868,29 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "state" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" + ] + } + ] } ] } @@ -4415,20 +6900,29 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] + } + ] } ] } @@ -4438,15 +6932,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -4455,8 +6949,11 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -4468,15 +6965,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -4485,8 +6982,10 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -4498,15 +6997,15 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -4515,8 +7014,11 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -4528,15 +7030,15 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -4545,8 +7047,10 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -4558,15 +7062,15 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -4575,8 +7079,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -4588,15 +7094,15 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -4605,8 +7111,11 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" + ] } ] } @@ -4618,15 +7127,15 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -4635,8 +7144,11 @@ "checks": [ { "in": "payload", - "check": "$.authority_hints", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -4648,15 +7160,15 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -4665,8 +7177,11 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -4678,25 +7193,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -4708,25 +7226,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -4738,25 +7258,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.typ", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -4768,25 +7291,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -4798,25 +7324,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -4828,25 +7357,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -4858,25 +7390,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -4888,27 +7423,21 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -4918,27 +7447,21 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jti", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -4948,27 +7471,21 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.scope", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -4978,24 +7495,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.acr_values", "is present": "true" } ] @@ -5008,24 +7525,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.aud", "is present": "true" } ] @@ -5038,24 +7555,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.exp", "is present": "true" } ] @@ -5068,24 +7585,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", + "check": "$.client_id", "is present": "true" } ] @@ -5098,24 +7615,24 @@ }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.at_hash", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -5128,24 +7645,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.iat", "is present": "true" } ] @@ -5158,24 +7675,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.nonce", "is present": "true" } ] @@ -5188,24 +7705,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.prompt", "is present": "true" } ] @@ -5218,24 +7735,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.redirect_uri", "is present": "true" } ] @@ -5248,24 +7765,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.response_type", "is present": "true" } ] @@ -5278,24 +7795,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", + "check": "$.scope", "is present": "true" } ] @@ -5308,24 +7825,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.state", "is present": "true" } ] @@ -5338,31 +7855,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Authentication request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.ui_locales", + "is present": "true" } ] } @@ -5374,25 +7885,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Authentication request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.iss", "is present": "true" } ] @@ -5405,25 +7915,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.cty", + "in": "payload", + "check": "$.exp", "is present": "true" } ] @@ -5436,25 +7945,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", + "in": "payload", + "check": "$.iat", "is present": "true" } ] @@ -5467,25 +7975,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.iss", "is present": "true" } ] @@ -5498,15 +8005,15 @@ }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -5515,10 +8022,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -5530,15 +8035,15 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -5547,13 +8052,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata", + "is present": "true" } ] } @@ -5565,15 +8065,15 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -5582,13 +8082,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -5600,15 +8095,15 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -5617,10 +8112,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.trust_marks", + "is present": "true" } ] } @@ -5632,30 +8125,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.aud", + "is present": "true" } ] } @@ -5667,29 +8155,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -5701,27 +8185,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -5733,28 +8215,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] + "check": "$.jti", + "is present": "true" } ] } @@ -5766,28 +8245,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -5799,28 +8275,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -5832,30 +8305,21 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -5865,29 +8329,20 @@ }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] - } - ] + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -5897,30 +8352,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } @@ -5930,30 +8375,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" - ] - } - ] + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -5963,29 +8398,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -5995,29 +8421,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -6027,32 +8444,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -6062,29 +8467,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -6094,30 +8490,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -6127,30 +8513,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -6160,30 +8536,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -6193,31 +8559,20 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -6227,8 +8582,8 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -6238,9 +8593,9 @@ "message type": "Revocation request", "checks": [ { - "in": "url", + "in": "body", "is present": true, - "check": "POST" + "check regex": "client_assertion_type" } ] } @@ -6250,20 +8605,20 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Revocation request", "checks": [ { "in": "body", "is present": true, - "check regex": "access_token" + "check regex": "client_id" } ] } @@ -6273,20 +8628,20 @@ }, { "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Revocation request", "checks": [ { "in": "body", "is present": true, - "check regex": "access_token" + "check regex": "token" } ] } @@ -6296,20 +8651,20 @@ }, { "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Token request", "checks": [ { "in": "body", "is present": true, - "check regex": "expires_in" + "check regex": "client_assertion" } ] } @@ -6319,20 +8674,20 @@ }, { "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Token request", "checks": [ { "in": "body", "is present": true, - "check regex": "id_token" + "check regex": "client_assertion_type" } ] } @@ -6342,20 +8697,20 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Token request", "checks": [ { "in": "body", "is present": true, - "check regex": "token_type" + "check regex": "client_id" } ] } @@ -6365,20 +8720,20 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Token request", "checks": [ { - "in": "head", + "in": "body", "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "check regex": "code" } ] } @@ -6388,30 +8743,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -6421,32 +8766,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -6456,32 +8789,20 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -6490,28 +8811,21 @@ } }, { - "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "test": { + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is present": "true" - } - ] + "in": "head", + "is present": true, + "check param": "Authorization" } ] } @@ -6521,25 +8835,25 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.jwks", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" } ] } @@ -6551,25 +8865,25 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does entity configuration RP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", - "is present": "true" + "check": "$.sub", + "is": "X_url_RP" } ] } @@ -6581,27 +8895,20 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -6611,27 +8918,20 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -6641,26 +8941,22 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", - "is present": "true" - } + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" ] } ] @@ -6671,25 +8967,25 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" } ] } @@ -6701,25 +8997,25 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" } ] } @@ -6731,25 +9027,25 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -6761,25 +9057,25 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -6791,25 +9087,25 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -6821,25 +9117,25 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -6851,25 +9147,25 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -6881,25 +9177,25 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" } ] } @@ -6911,25 +9207,25 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" } ] } @@ -6941,25 +9237,25 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" } ] } @@ -6971,25 +9267,25 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -7001,25 +9297,25 @@ }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" } ] } @@ -7031,25 +9327,25 @@ }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" } ] } @@ -7061,25 +9357,25 @@ }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" } ] } @@ -7091,25 +9387,25 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -7121,25 +9417,25 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -7151,27 +9447,20 @@ }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", - "is present": "true" - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -7181,27 +9470,20 @@ }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", - "is present": "true" - } - ] + "in": "body", + "check": "client_id", + "is": "X_url_RP" } ] } @@ -7211,27 +9493,20 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", - "is present": "true" - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -7241,27 +9516,20 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "is present": "true" - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -7271,27 +9539,20 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", - "is present": "true" - } - ] + "in": "body", + "check": "client_id", + "is": "X_https_RP" } ] } @@ -7301,27 +9562,20 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7331,27 +9585,20 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "is present": "true" - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -7361,28 +9608,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.cty", - "is": "JWT" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -7392,21 +9631,20 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_OP" + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -7416,21 +9654,20 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "jwt check sig": "X_key_core_OP" + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -7440,21 +9677,20 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "jwt check sig": "X_key_core_OP" + "in": "body", + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -7464,21 +9700,20 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "checks": [ { "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "check regex": "POST", + "is present": "true" } ] } @@ -7488,21 +9723,20 @@ }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "UserInfo request", "checks": [ { "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7512,26 +9746,27 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] } ] } @@ -7543,26 +9778,28 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -7574,53 +9811,28 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA OP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -7632,53 +9844,61 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -7690,20 +9910,29 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] + } + ] } ] } @@ -7713,20 +9942,30 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] + } + ] } ] } @@ -7736,25 +9975,28 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -7766,20 +10008,30 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -7788,21 +10040,30 @@ } }, { - "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "test": { + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] + } + ] } ] } @@ -7812,20 +10073,29 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -7835,20 +10105,20 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Introspection request", "checks": [ { "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -7858,20 +10128,20 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", + "message type": "Revocation request", "checks": [ { "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -7881,20 +10151,20 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", + "message type": "Token request", "checks": [ { "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -7904,25 +10174,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" } ] } @@ -7934,25 +10204,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.client_registration_types", + "is present": "true" } ] } @@ -7964,25 +10234,25 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -7994,25 +10264,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -8024,25 +10294,25 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" } ] } @@ -8054,25 +10324,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -8084,25 +10354,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is present": "true" } ] } @@ -8114,25 +10384,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is present": "true" } ] } @@ -8144,25 +10414,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.redirect_uris", + "is present": "true" } ] } @@ -8174,25 +10444,25 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" } ] } @@ -8204,32 +10474,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } @@ -8241,32 +10504,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "is present": "true" } ] } @@ -8278,32 +10534,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is present": "true" } ] } @@ -8315,32 +10564,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } @@ -8352,32 +10594,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -8389,32 +10624,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -8426,32 +10654,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -8463,32 +10684,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is present": "true" } ] } @@ -8500,32 +10714,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is present": "true" } ] } @@ -8537,32 +10744,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is present": "true" } ] } @@ -8574,32 +10774,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is present": "true" } ] } @@ -8611,32 +10804,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types", + "is present": "true" } ] } @@ -8648,31 +10834,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -8685,31 +10869,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" ] } ] @@ -8722,31 +10901,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -8759,31 +10936,32 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } + "in": "payload", + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" ] } ] @@ -8796,31 +10974,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } + "in": "payload", + "check": "$.prompt", + "is in": [ + "consent", + "consent login" ] } ] @@ -8833,31 +11007,31 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } + "in": "payload", + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" ] } ] @@ -8870,31 +11044,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -8907,34 +11079,21 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -8944,34 +11103,21 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] - } - ] + "jwt check sig": "X_key_core_RP" } ] } @@ -8981,15 +11127,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -9003,7 +11149,7 @@ "checks": [ { "in": "payload", - "check": "logo_uri", + "check": "sa_profile", "is present": "true" } ] @@ -9018,15 +11164,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -9040,7 +11186,7 @@ "checks": [ { "in": "payload", - "check": "organization_name", + "check": "claims", "is present": "true" } ] @@ -9055,15 +11201,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -9077,7 +11223,7 @@ "checks": [ { "in": "payload", - "check": "organization_type", + "check": "email", "is present": "true" } ] @@ -9092,15 +11238,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -9114,7 +11260,7 @@ "checks": [ { "in": "payload", - "check": "policy_uri", + "check": "exp", "is present": "true" } ] @@ -9129,15 +11275,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -9151,7 +11297,7 @@ "checks": [ { "in": "payload", - "check": "ref", + "check": "iat", "is present": "true" } ] @@ -9166,15 +11312,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -9188,7 +11334,7 @@ "checks": [ { "in": "payload", - "check": "service_documentation", + "check": "id", "is present": "true" } ] @@ -9203,15 +11349,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -9225,7 +11371,7 @@ "checks": [ { "in": "payload", - "check": "sub", + "check": "id_code", "is present": "true" } ] @@ -9240,15 +11386,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -9262,7 +11408,7 @@ "checks": [ { "in": "payload", - "check": "tos_uri", + "check": "logo_uri", "is present": "true" } ] @@ -9277,15 +11423,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -9299,7 +11445,7 @@ "checks": [ { "in": "payload", - "check": "iss", + "check": "organization_name", "is present": "true" } ] @@ -9314,25 +11460,32 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -9344,25 +11497,32 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -9374,25 +11534,32 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -9404,25 +11571,32 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -9434,25 +11608,32 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -9464,25 +11645,32 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -9494,25 +11682,32 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -9524,25 +11719,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -9554,25 +11756,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -9584,25 +11793,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -9614,25 +11830,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -9644,25 +11867,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -9674,25 +11904,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -9704,25 +11941,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -9734,25 +11978,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -9764,8 +12015,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -9776,13 +12027,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -9794,8 +12052,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -9806,13 +12064,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -9824,8 +12089,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -9836,13 +12101,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -9854,8 +12126,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -9866,13 +12138,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -9884,8 +12163,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -9896,13 +12175,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -9914,8 +12200,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -9926,13 +12212,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -9944,8 +12237,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -9956,13 +12249,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -9974,8 +12274,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -9986,13 +12286,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -10004,32 +12311,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -10041,32 +12341,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -10078,32 +12371,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -10115,32 +12401,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -10152,32 +12431,25 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -10189,32 +12461,25 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -10226,32 +12491,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -10263,8 +12521,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -10275,20 +12533,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -10300,8 +12551,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -10312,20 +12563,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -10337,8 +12581,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -10349,20 +12593,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -10374,8 +12611,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -10386,20 +12623,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -10411,32 +12641,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -10448,32 +12671,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -10485,32 +12701,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -10522,32 +12731,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -10559,8 +12761,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -10571,20 +12773,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -10596,8 +12791,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -10608,20 +12803,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -10633,8 +12821,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -10645,20 +12833,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -10670,8 +12851,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -10682,20 +12863,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -10707,8 +12881,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -10719,20 +12893,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -10744,8 +12911,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -10756,20 +12923,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -10781,8 +12941,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -10793,20 +12953,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -10818,92 +12971,62 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration SA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -10914,13 +13037,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.sub", + "is": "X_url_SA" } ] } @@ -10932,8 +13055,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -10941,18 +13064,11 @@ "operations": [ { "message type": "Entity Configuration response SA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -10962,8 +13078,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -10971,18 +13087,11 @@ "operations": [ { "message type": "Entity Configuration response SA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -10992,25 +13101,26 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_SA" } ] } @@ -11022,25 +13132,26 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_SA" } ] } @@ -11052,8 +13163,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -11064,13 +13175,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -11082,8 +13193,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -11094,13 +13205,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -11112,8 +13223,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -11124,13 +13235,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -11142,8 +13253,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -11154,13 +13265,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -11172,8 +13283,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" @@ -11186,7 +13297,13 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + } + ] } ] } @@ -11196,21 +13313,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] } ] } @@ -11220,21 +13343,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -11244,21 +13373,27 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -11268,20 +13403,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -11291,20 +13433,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ - { - "message type": "Entity Configuration response AA", - "checks": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -11314,25 +13463,25 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -11352,7 +13501,7 @@ ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response SA", "checks": [ { "in": "body", @@ -11367,19 +13516,19 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", + "message type": "Entity Listing response", "checks": [ { "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", "is present": "true" } ] @@ -11390,27 +13539,20 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -11420,27 +13562,20 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -11450,27 +13585,20 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -11480,27 +13608,20 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -11510,25 +13631,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -11540,25 +13661,25 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -11570,25 +13691,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -11600,24 +13721,24 @@ }, { "test": { - "name": "Does the AA's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -11630,24 +13751,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -11660,24 +13781,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -11690,24 +13811,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -11720,24 +13841,24 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -11750,24 +13871,24 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -11780,25 +13901,32 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } + ] } ] } @@ -11810,29 +13938,31 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -11845,29 +13975,31 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -11880,27 +14012,31 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -11913,26 +14049,31 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -11945,27 +14086,31 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } ] } ] @@ -11978,25 +14123,32 @@ }, { "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -12008,25 +14160,32 @@ }, { "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -12038,25 +14197,32 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -12068,25 +14234,32 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -12098,25 +14271,32 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -12128,25 +14308,32 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -12158,25 +14345,32 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -12188,25 +14382,32 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -12218,25 +14419,32 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -12248,25 +14456,32 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -12278,25 +14493,32 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } + ] } ] } @@ -12308,25 +14530,32 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } + ] } ] } @@ -12338,25 +14567,32 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -12368,25 +14604,32 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -12398,25 +14641,32 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_resource.resource", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -12428,25 +14678,32 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -12458,25 +14715,32 @@ }, { "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] } ] } @@ -12488,25 +14752,32 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -12518,25 +14789,32 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -12548,25 +14826,32 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -12578,21 +14863,34 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_AA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + } + ] + } + ] } ] } @@ -12602,21 +14900,34 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] + } + ] } ] } @@ -12626,26 +14937,32 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -12657,26 +14974,32 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -12688,20 +15011,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } + ] + } + ] } ] } @@ -12711,20 +15048,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } + ] + } + ] } ] } @@ -12734,25 +15085,32 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -12764,20 +15122,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } + ] + } + ] } ] } @@ -12787,20 +15159,55 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" + } + ] } ] } @@ -12810,20 +15217,55 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" + } + ] } ] } @@ -12833,66 +15275,105 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] + } + ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] + } + ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Configuration response SA", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_SA" } ] } @@ -12902,20 +15383,21 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_SA" } ] } @@ -12925,20 +15407,21 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_SA" } ] } @@ -12948,7 +15431,7 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", + "name": "Does entity configuration contain the exp parameter", "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ @@ -12956,7 +15439,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -12965,8 +15448,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -12978,7 +15461,7 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", + "name": "Does entity configuration contain the iat parameter", "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ @@ -12986,7 +15469,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -12995,8 +15478,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -13008,15 +15491,15 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -13025,8 +15508,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -13038,25 +15521,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.jwks", + "is present": "true" } ] } @@ -13068,15 +15551,15 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -13085,8 +15568,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "check": "$.metadata", + "is present": "true" } ] } @@ -13098,15 +15581,15 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -13115,8 +15598,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -13128,15 +15611,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -13145,8 +15628,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "check": "$.authority_hints", + "is present": "true" } ] } @@ -13158,15 +15641,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -13175,8 +15658,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.trust_marks", + "is present": "true" } ] } @@ -13188,25 +15671,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -13218,25 +15701,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -13248,25 +15731,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "in": "header", + "check": "$.typ", + "is present": "true" } ] } @@ -13278,25 +15761,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.aud", + "is present": "true" } ] } @@ -13308,25 +15791,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.client_id", + "is present": "true" } ] } @@ -13338,25 +15821,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -13368,25 +15851,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -13398,25 +15881,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -13428,25 +15911,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "check": "$.jti", + "is present": "true" } ] } @@ -13458,25 +15941,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.scope", + "is present": "true" } ] } @@ -13488,25 +15971,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -13518,25 +16001,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -13548,25 +16031,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -13578,25 +16061,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.acr", + "is present": "true" } ] } @@ -13608,25 +16091,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.at_hash", + "is present": "true" } ] } @@ -13638,25 +16121,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.aud", + "is present": "true" } ] } @@ -13668,25 +16151,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -13698,25 +16181,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -13728,25 +16211,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -13758,32 +16241,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jti", + "is present": "true" } ] } @@ -13794,33 +16270,26 @@ } }, { - "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "test": { + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.nonce", + "is present": "true" } ] } @@ -13832,32 +16301,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -13869,34 +16331,21 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -13906,34 +16355,21 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } @@ -13943,34 +16379,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -13980,34 +16402,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -14017,34 +16425,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -14054,34 +16448,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -14091,34 +16471,43 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -14128,34 +16517,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] - } - ] + "in": "head", + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -14165,32 +16540,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" } ] } @@ -14202,32 +16570,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } @@ -14239,32 +16600,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" } ] } @@ -14276,32 +16630,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_OP" } ] } @@ -14313,34 +16660,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -14350,34 +16683,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -14387,34 +16706,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Revocation response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -14424,34 +16729,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -14461,34 +16752,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] - } - ] + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -14498,32 +16775,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -14535,32 +16805,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -14572,32 +16835,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -14609,32 +16865,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -14646,32 +16895,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" } ] } @@ -14683,32 +16925,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" } ] } @@ -14720,32 +16955,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -14757,32 +16985,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } @@ -14794,32 +17015,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -14831,32 +17045,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -14868,32 +17075,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -14905,25 +17105,25 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -14935,25 +17135,25 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -14965,25 +17165,25 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -14995,25 +17195,25 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -15025,25 +17225,25 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } @@ -15055,25 +17255,25 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } @@ -15085,25 +17285,25 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -15115,25 +17315,25 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -15145,27 +17345,20 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_mark_issuers", - "is present": "true" - } - ] + "in": "head", + "check": "Content-Type", + "is": "application/json" } ] } @@ -15175,27 +17368,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "body", + "check": "token_type", + "is": "Bearer" } ] } @@ -15205,27 +17391,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] } @@ -15235,27 +17414,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -15265,27 +17437,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -15295,27 +17460,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" - } - ] + "in": "body", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -15325,27 +17483,20 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -15355,27 +17506,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "message type": "UserInfo response", + "checks": [ + { + "in": "body", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } @@ -15385,25 +17529,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] } ] } @@ -15415,25 +17566,29 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.constraints", - "is present": "true" + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -15445,24 +17600,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.exp", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -15475,24 +17631,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iat", + "in": "header", + "check": "$.cty", "is present": "true" } ] @@ -15505,24 +17662,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.jwks", + "in": "header", + "check": "$.enc", "is present": "true" } ] @@ -15535,24 +17693,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -15565,25 +17724,29 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -15595,25 +17758,27 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] } ] } @@ -15625,25 +17790,28 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -15655,25 +17823,28 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -15685,31 +17856,27 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -15722,31 +17889,27 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -15759,31 +17922,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" ] } ] @@ -15796,31 +17954,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -15833,31 +17987,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" ] } ] @@ -15870,31 +18019,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -15907,31 +18052,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -15944,31 +18085,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" ] } ] @@ -15981,31 +18117,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" ] } ] @@ -16018,31 +18150,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" ] } ] @@ -16055,31 +18182,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" ] } ] @@ -16092,31 +18214,29 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" ] } ] @@ -16129,31 +18249,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" ] } ] @@ -16166,31 +18281,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -16203,31 +18314,27 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -16240,31 +18347,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -16277,31 +18380,28 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", + "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } + "in": "payload", + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" ] } ] @@ -16314,31 +18414,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" ] } ] @@ -16351,31 +18446,29 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -16388,31 +18481,29 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -16425,34 +18516,29 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -16460,41 +18546,34 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -16502,22 +18581,20 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -16526,7 +18603,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", "not contains": [ "RSA_1_5" ] @@ -16541,15 +18618,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -16558,7 +18635,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", "not contains": [ "none", "HS256", @@ -16576,30 +18653,26 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "header", + "check": "$.cty", + "is": "JWT" } ] } @@ -16611,26 +18684,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -16643,30 +18720,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.issuer", + "is present": "true" } ] } @@ -16678,30 +18750,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata.openid_provider.jwks", + "is present": "true" } ] } @@ -16713,27 +18780,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" } ] } @@ -16745,30 +18810,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.acr_values_supported", + "is present": "true" } ] } @@ -16780,27 +18840,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.authorization_endpoint", + "is present": "true" } ] } @@ -16812,30 +18870,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "is present": "true" } ] } @@ -16847,27 +18900,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -16879,30 +18930,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -16914,27 +18960,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.grant_types_supported", + "is present": "true" } ] } @@ -16946,30 +18990,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -16981,29 +19020,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "is present": "true" } ] } @@ -17015,27 +19050,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" - ] + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "is present": "true" } ] } @@ -17047,28 +19080,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" - ] + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "is present": "true" } ] } @@ -17080,28 +19110,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata.openid_provider.introspection_endpoint", + "is present": "true" } ] } @@ -17113,28 +19140,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -17146,28 +19170,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -17179,28 +19200,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" - ] + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -17212,27 +19230,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" - ] + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "is present": "true" } ] } @@ -17244,27 +19260,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -17276,30 +19290,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" - ] + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } @@ -17311,27 +19320,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" - ] + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "is present": "true" } ] } @@ -17343,27 +19350,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] + "check": "$.metadata.openid_provider.claims_supported", + "is present": "true" } ] } @@ -17375,28 +19380,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.openid_provider.claims_parameter_supported", + "is present": "true" } ] } @@ -17408,28 +19410,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.openid_provider.request_parameter_supported", + "is present": "true" } ] } @@ -17441,28 +19440,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } @@ -17474,28 +19470,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.openid_provider.client_registration_types_supported", + "is present": "true" } ] } @@ -17507,27 +19500,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } @@ -17539,28 +19530,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" - ] + "check": "$.metadata.openid_provider.response_modes_supported", + "is present": "true" } ] } @@ -17572,27 +19560,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] + "check": "$.metadata.openid_provider.response_types_supported", + "is present": "true" } ] } @@ -17604,28 +19590,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.openid_provider.revocation_endpoint", + "is present": "true" } ] } @@ -17637,27 +19620,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -17669,27 +19650,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" - ] + "check": "$.metadata.openid_provider.scopes_supported", + "is present": "true" } ] } @@ -17701,27 +19680,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$.metadata.openid_provider.subject_types_supported", + "is present": "true" } ] } @@ -17733,28 +19710,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.openid_provider.token_endpoint", + "is present": "true" } ] } @@ -17766,27 +19740,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "is present": "true" } ] } @@ -17798,28 +19770,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", + "is present": "true" } ] } @@ -17831,27 +19800,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] + "check": "$.metadata.openid_provider.userinfo_endpoint", + "is present": "true" } ] } @@ -17863,27 +19830,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "is present": "true" } ] } @@ -17895,30 +19860,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" - ] - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -17928,30 +19883,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -17961,30 +19906,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -17994,25 +19929,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ + "in": "header", + "check": "$.alg", + "is in": [ "RS256", "RS512" ] @@ -18027,26 +19962,29 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -18059,27 +19997,29 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -18092,30 +20032,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "jwt check sig": "X_key_OP" } ] } @@ -18125,30 +20056,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -18158,30 +20080,21 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -18191,15 +20104,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the AA's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -18208,11 +20121,8 @@ "checks": [ { "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$.trust_marks", + "is present": "true" } ] } @@ -18224,24 +20134,24 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints.max_path_length", + "check": "$.exp", "is present": "true" } ] @@ -18254,24 +20164,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.iat", "is present": "true" } ] @@ -18284,24 +20194,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "check": "$.iss", "is present": "true" } ] @@ -18314,24 +20224,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", + "check": "$.jwks", "is present": "true" } ] @@ -18344,24 +20254,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata", "is present": "true" } ] @@ -18374,24 +20284,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.sub", "is present": "true" } ] @@ -18404,24 +20314,24 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$..metadata.openid_provider.op_policy_uri", "is present": "true" } ] @@ -18434,27 +20344,21 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "message type": "Entity Configuration response AA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -18464,25 +20368,25 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration AA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -18494,27 +20398,20 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "decode operations": [ + "message type": "Entity Configuration response AA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -18524,27 +20421,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response AA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -18554,25 +20444,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" } ] } @@ -18584,25 +20474,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" } ] } @@ -18614,25 +20504,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -18644,25 +20534,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -18674,25 +20564,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -18704,25 +20594,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -18734,25 +20624,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -18764,25 +20654,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -18794,25 +20684,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" } ] } @@ -18824,25 +20714,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" } ] } @@ -18854,25 +20744,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -18884,27 +20774,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response AA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -18914,27 +20797,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -18944,15 +20820,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -18961,8 +20837,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -18974,15 +20853,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -18991,8 +20870,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -19004,15 +20885,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19021,8 +20902,11 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -19034,25 +20918,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -19064,25 +20953,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -19094,15 +20988,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19111,7 +21005,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", "is present": "true" } ] @@ -19124,15 +21018,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19141,7 +21035,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -19154,15 +21048,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19171,7 +21065,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", "is present": "true" } ] @@ -19184,15 +21078,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19201,7 +21095,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -19214,15 +21108,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19231,7 +21125,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -19244,15 +21138,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19261,7 +21155,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "check": "$.metadata.oauth_authorization_server.grant_types_supported", "is present": "true" } ] @@ -19274,15 +21168,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19291,7 +21185,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -19304,15 +21198,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19321,7 +21215,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.oauth_authorization_server.issuer", "is present": "true" } ] @@ -19334,15 +21228,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19351,7 +21245,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "check": "$.metadata.oauth_authorization_server.jwks", "is present": "true" } ] @@ -19364,15 +21258,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19381,7 +21275,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -19394,15 +21288,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19411,7 +21305,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "check": "$.metadata.oauth_authorization_server.op_policy_uri", "is present": "true" } ] @@ -19424,15 +21318,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19441,7 +21335,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "check": "$.metadata.oauth_authorization_server.op_tos_uri", "is present": "true" } ] @@ -19454,15 +21348,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19471,7 +21365,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -19484,15 +21378,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19501,7 +21395,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -19514,15 +21408,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19531,7 +21425,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "check": "$.metadata.oauth_resource.resource", "is present": "true" } ] @@ -19544,15 +21438,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19561,7 +21455,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "check": "$.metadata.oauth_authorization_server.response_types_supported", "is present": "true" } ] @@ -19574,15 +21468,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", @@ -19591,7 +21485,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "check": "$.metadata.oauth_authorization_server.scopes_supported", "is present": "true" } ] @@ -19604,21 +21498,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.token_endpoint", + "is present": "true" + } + ] } ] } @@ -19628,21 +21528,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", + "is present": "true" + } + ] } ] } @@ -19652,21 +21558,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response AA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -19676,21 +21588,21 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_AA" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json index 6ffc711..0d827ef 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json @@ -7,20 +7,27 @@ "tests": [ { "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.acr_values", + "is present": "true" + } + ] } ] } @@ -30,20 +37,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_url_RP" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -53,20 +67,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -76,20 +97,27 @@ }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.client_id", + "is present": "true" + } + ] } ] } @@ -99,20 +127,27 @@ }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_https_RP" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -122,20 +157,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -145,20 +187,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.nonce", + "is present": "true" + } + ] } ] } @@ -168,20 +217,27 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.prompt", + "is present": "true" + } + ] } ] } @@ -191,40 +247,55 @@ }, { "test": { - "name": "Does the JWT payload contain a correct sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" + "in": "payload", + "check": "$.redirect_uri", + "is present": "true" } - ], + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.sub", - "contains": "saved_iss" + "check": "$.response_type", + "is present": "true" } ] } @@ -236,53 +307,55 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", - "type": "active", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", "decode operations": [ { "from": "url", "decode param": "request", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.client_id", - "as": "client_id" + "in": "payload", + "check": "$.scope", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "client_id" + "check": "$.state", + "is present": "true" } ] } @@ -294,41 +367,74 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.ui_locales", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", "decode operations": [ { "from": "url", "decode param": "request", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.redirect_uri", - "as": "redirect_uris" + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { @@ -337,10 +443,9 @@ "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "contains": "redirect_uris" + "check": "$.exp", + "is present": "true" } ] } @@ -352,41 +457,44 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", - "type": "active", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.response_type", - "as": "response_types_supported" + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { @@ -395,10 +503,9 @@ "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "contains": "response_types_supported" + "check": "$.iss", + "is present": "true" } ] } @@ -410,41 +517,74 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", - "type": "active", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "iss" + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { @@ -453,10 +593,9 @@ "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "iss" + "check": "$.sub", + "is present": "true" } ] } @@ -468,41 +607,44 @@ }, { "test": { - "name": "Does the JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", - "type": "active", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.metadata.openid_relying_party.client_id", - "as": "client_id" + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token request", "decode operations": [ { @@ -511,10 +653,9 @@ "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "client_id" + "check": "$.aud", + "is present": "true" } ] } @@ -526,53 +667,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", - "type": "active", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.aud[0]", - "contains": "saved_iss" + "check": "$.exp", + "is present": "true" } ] } @@ -584,20 +697,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -607,20 +727,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } @@ -630,25 +757,25 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", "check": "$.sub", - "is": "X_url_RP" + "is present": "true" } ] } @@ -660,20 +787,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -683,20 +817,21 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Entity Configuration response RP", "checks": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -706,20 +841,20 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", + "message type": "Authentication request", "checks": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -729,20 +864,20 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Authentication request", "checks": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } @@ -752,20 +887,20 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Authentication request", "checks": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -775,20 +910,20 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Authentication request", "checks": [ { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -798,20 +933,20 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "message type": "Introspection request", "checks": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -821,20 +956,20 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "UserInfo request", + "message type": "Introspection request", "checks": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -844,27 +979,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -874,27 +1002,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -904,27 +1025,20 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -934,27 +1048,20 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -964,27 +1071,20 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -994,27 +1094,20 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -1024,27 +1117,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -1054,27 +1140,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -1084,27 +1163,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -1114,27 +1186,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -1144,27 +1209,20 @@ }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -1174,8 +1232,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -1183,18 +1241,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "code" } ] } @@ -1204,8 +1255,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -1213,18 +1264,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -1234,8 +1278,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -1243,18 +1287,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -1264,27 +1301,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.acr_values", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -1294,27 +1324,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.aud", - "is present": "true" - } - ] + "in": "head", + "is present": true, + "check param": "Authorization" } ] } @@ -1324,25 +1347,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" } ] } @@ -1354,25 +1377,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does entity configuration RP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", - "is present": "true" + "check": "$.sub", + "is": "X_url_RP" } ] } @@ -1384,27 +1407,20 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.kid", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1414,27 +1430,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1444,25 +1453,40 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", - "type": "passive", + "name": "Does the JWT payload contain a correct sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ], "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.nonce", - "is present": "true" + "check": "$.sub", + "contains": "saved_iss" } ] } @@ -1474,26 +1498,22 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.prompt", - "is present": "true" - } + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" ] } ] @@ -1504,8 +1524,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" @@ -1521,8 +1541,8 @@ "checks": [ { "in": "payload", - "check": "$.redirect_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" } ] } @@ -1534,8 +1554,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" @@ -1551,8 +1571,8 @@ "checks": [ { "in": "payload", - "check": "$.response_type", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" } ] } @@ -1564,25 +1584,25 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1594,25 +1614,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.state", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1624,25 +1644,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.ui_locales", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1654,25 +1674,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1684,8 +1704,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -1696,13 +1716,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -1714,8 +1734,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" @@ -1726,13 +1746,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" } ] } @@ -1744,8 +1764,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1761,8 +1781,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" } ] } @@ -1774,8 +1794,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1791,8 +1811,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" } ] } @@ -1804,8 +1824,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -1816,13 +1836,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1834,8 +1854,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" @@ -1846,13 +1866,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" } ] } @@ -1864,8 +1884,8 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -1881,8 +1901,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" } ] } @@ -1894,8 +1914,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" @@ -1911,8 +1931,8 @@ "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" } ] } @@ -1924,8 +1944,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" @@ -1941,8 +1961,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1954,8 +1974,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" @@ -1971,8 +1991,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1984,27 +2004,66 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", - "type": "passive", + "name": "Does the Revocation Request contain correct client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jti", - "is present": "true" - } - ] + "value": "https://example.com", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -2014,27 +2073,43 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "check": "client_id", + "is": "X_url_RP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -2044,8 +2119,8 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", "type": "passive", "sessions": [ "s1" @@ -2053,18 +2128,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -2074,29 +2142,43 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] - } - ] + "in": "body", + "check": "client_id", + "is": "X_https_RP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2106,29 +2188,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -2138,30 +2211,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2171,30 +2234,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -2204,30 +2257,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -2237,30 +2280,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -2270,29 +2303,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -2302,30 +2326,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "head", + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2335,8 +2349,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ "s1" @@ -2352,10 +2366,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "check": "$.metadata.openid_relying_party.client_registration_types[0]", "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "automatic" ] } ] @@ -2368,8 +2381,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" @@ -2385,10 +2398,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "check": "$.metadata.openid_relying_party.grant_types[0]", "is in": [ - "RS256", - "RS512" + "authorization_code", + "refresh_token" ] } ] @@ -2401,8 +2414,8 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -2418,9 +2431,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", "is in": [ - "code" + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -2433,66 +2447,30 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", - "type": "active", - "sessions": [ - "s1" - ], - "operations": [ - { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ - { - "from": "body", - "value": "https://example.com", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" - } - ] - } - ], - "result": "assert_only" - } - }, - { - "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -2502,20 +2480,30 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -2525,20 +2513,29 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] + } + ] } ] } @@ -2548,20 +2545,30 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] + } + ] } ] } @@ -2571,20 +2578,30 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -2594,20 +2611,30 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -2617,20 +2644,29 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] + } + ] } ] } @@ -2640,20 +2676,29 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -2663,8 +2708,8 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ "s_CIE_introsp" @@ -2675,8 +2720,8 @@ "checks": [ { "in": "body", - "is present": true, - "check regex": "token" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -2686,20 +2731,20 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Revocation request", "checks": [ { - "in": "url", - "is present": true, - "check": "POST" + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -2709,20 +2754,20 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Token request", "checks": [ { "in": "body", - "is present": true, - "check regex": "client_assertion" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -2732,20 +2777,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" + } + ] } ] } @@ -2755,20 +2807,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_registration_types", + "is present": "true" + } + ] } ] } @@ -2778,20 +2837,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" + } + ] } ] } @@ -2801,20 +2867,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" + } + ] } ] } @@ -2824,20 +2897,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" + } + ] } ] } @@ -2847,20 +2927,27 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" + } + ] } ] } @@ -2870,20 +2957,27 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is present": "true" + } + ] } ] } @@ -2893,20 +2987,27 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is present": "true" + } + ] } ] } @@ -2916,20 +3017,27 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "grant_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.redirect_uris", + "is present": "true" + } + ] } ] } @@ -2939,20 +3047,27 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" + } + ] } ] } @@ -2962,20 +3077,27 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" + } + ] } ] } @@ -2985,33 +3107,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" - ] + "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "is present": "true" } ] } @@ -3023,28 +3137,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", - "is in": [ - "consent", - "consent login" - ] + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is present": "true" } ] } @@ -3056,32 +3167,25 @@ }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ - { - "in": "payload", - "check": "$.scope", - "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" - ] + { + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } @@ -3093,30 +3197,25 @@ }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -3128,8 +3227,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3145,7 +3244,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -3158,8 +3257,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3175,7 +3274,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -3188,8 +3287,8 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -3205,7 +3304,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", "is present": "true" } ] @@ -3218,8 +3317,8 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -3235,7 +3334,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", "is present": "true" } ] @@ -3248,8 +3347,8 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -3265,7 +3364,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", "is present": "true" } ] @@ -3278,8 +3377,8 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -3295,7 +3394,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", "is present": "true" } ] @@ -3308,8 +3407,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" @@ -3325,7 +3424,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "check": "$.metadata.openid_relying_party.response_types", "is present": "true" } ] @@ -3338,8 +3437,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -3355,8 +3454,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3368,8 +3472,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" @@ -3385,8 +3489,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" + ] } ] } @@ -3398,8 +3504,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -3415,8 +3521,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3428,25 +3539,53 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.client_id", + "as": "client_id" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "contains": "client_id" } ] } @@ -3458,25 +3597,53 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.redirect_uri", + "as": "redirect_uris" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.metadata.openid_relying_party.redirect_uris", + "contains": "redirect_uris" } ] } @@ -3488,25 +3655,53 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.response_type", + "as": "response_types_supported" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.openid_relying_party.response_types[0]", + "contains": "response_types_supported" } ] } @@ -3518,25 +3713,53 @@ }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "contains": "iss" } ] } @@ -3548,55 +3771,53 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", - "type": "passive", + "name": "Does the JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is present": "true" + "jwt from": "payload", + "jwt save": "$.metadata.openid_relying_party.client_id", + "as": "client_id" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is present": "true" + "check": "$.iss", + "contains": "client_id" } ] } @@ -3608,55 +3829,53 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", - "type": "passive", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is present": "true" + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", - "is present": "true" + "check": "$.aud[0]", + "contains": "saved_iss" } ] } @@ -3668,21 +3887,35 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "jwt check sig": "X_key_RP" + "checks": [ + { + "in": "payload", + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + ] + } + ] } ] } @@ -3692,46 +3925,29 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "jwt check sig": "X_key_core_RP" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token request", - "checks": [ - { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" + "checks": [ + { + "in": "payload", + "check": "$.prompt", + "is in": [ + "consent", + "consent login" + ] + } ] } ] @@ -3742,29 +3958,31 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" ] } ] @@ -3777,26 +3995,29 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "in": "header", + "check": "$.alg", "is not in": [ - "RSA_1_5" + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3809,8 +4030,8 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -3821,20 +4042,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -3844,21 +4054,21 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "jwt check sig": "X_key_core_RP" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json index 6eb7d59..02e9147 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json @@ -7,20 +7,27 @@ "tests": [ { "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.acr_values", + "is present": "true" + } + ] } ] } @@ -30,20 +37,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_url_RP" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -53,20 +67,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -76,20 +97,27 @@ }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.client_id", + "is present": "true" + } + ] } ] } @@ -99,20 +127,27 @@ }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_https_RP" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -122,20 +157,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -145,20 +187,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.nonce", + "is present": "true" + } + ] } ] } @@ -168,20 +217,27 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.prompt", + "is present": "true" + } + ] } ] } @@ -191,20 +247,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.redirect_uri", + "is present": "true" + } + ] } ] } @@ -214,20 +277,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.response_type", + "is present": "true" + } + ] } ] } @@ -237,25 +307,25 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_RP" + "check": "$.scope", + "is present": "true" } ] } @@ -267,20 +337,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.state", + "is present": "true" + } + ] } ] } @@ -290,43 +367,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ - { - "message type": "Introspection request", - "checks": [ - { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.ui_locales", + "is present": "true" + } + ] } ] } @@ -336,20 +397,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -359,20 +427,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -382,20 +457,27 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -405,20 +487,27 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -428,20 +517,27 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -451,25 +547,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + "check": "$.metadata", + "is present": "true" } ] } @@ -481,25 +577,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -511,8 +607,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -528,8 +624,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.trust_marks", + "is present": "true" } ] } @@ -541,25 +637,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.aud", + "is present": "true" } ] } @@ -571,25 +667,25 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -601,25 +697,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.iat", + "is present": "true" } ] } @@ -631,25 +727,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "check": "$.jti", + "is present": "true" } ] } @@ -661,25 +757,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -691,25 +787,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.iss", + "is present": "true" } ] } @@ -721,8 +817,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -730,18 +826,12 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -751,27 +841,20 @@ }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -781,27 +864,20 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } @@ -811,27 +887,20 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -841,27 +910,20 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -871,27 +933,158 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "client_assertion" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "client_assertion_type" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "client_assertion" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "client_id" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "token" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "url", + "is present": true, + "check": "POST" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.acr_values", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -901,27 +1094,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.aud", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -931,27 +1117,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -961,27 +1140,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.client_id", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -991,27 +1163,20 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.kid", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -1021,27 +1186,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -1051,27 +1209,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.nonce", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -1081,27 +1232,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.prompt", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "code" } ] } @@ -1111,27 +1255,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.redirect_uri", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -1141,27 +1278,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.response_type", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -1171,27 +1301,20 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.scope", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -1201,27 +1324,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.state", - "is present": "true" - } - ] + "in": "head", + "is present": true, + "check param": "Authorization" } ] } @@ -1231,25 +1347,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.ui_locales", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" } ] } @@ -1261,25 +1377,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does entity configuration RP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.sub", + "is": "X_url_RP" } ] } @@ -1291,8 +1407,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -1300,18 +1416,11 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1321,8 +1430,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -1330,18 +1439,11 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1351,26 +1453,22 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" ] } ] @@ -1381,25 +1479,25 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", + { + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" } ] } @@ -1411,25 +1509,25 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" } ] } @@ -1441,8 +1539,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1458,8 +1556,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1471,8 +1569,8 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1488,8 +1586,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1501,25 +1599,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1531,25 +1629,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1561,25 +1659,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -1591,25 +1689,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" } ] } @@ -1621,25 +1719,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" } ] } @@ -1651,25 +1749,25 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" } ] } @@ -1681,8 +1779,8 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -1693,15 +1791,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1713,8 +1809,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" @@ -1725,15 +1821,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" } ] } @@ -1745,8 +1839,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -1757,16 +1851,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" } ] } @@ -1778,28 +1869,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" } ] } @@ -1811,28 +1899,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1844,28 +1929,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1877,29 +1959,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -1909,30 +1982,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "check": "client_id", + "is": "X_url_RP" } ] } @@ -1942,30 +2005,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ "s1" ], - "operations": [ - { - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "operations": [ + { + "message type": "Revocation request", + "checks": [ + { + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -1975,30 +2028,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -2008,29 +2051,20 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" - ] - } - ] + "in": "body", + "check": "client_id", + "is": "X_https_RP" } ] } @@ -2040,20 +2074,20 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "checks": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2063,20 +2097,20 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", + "message type": "Introspection request", "checks": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -2086,20 +2120,20 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Resolve Entity Statement response", "checks": [ { - "in": "url", - "is present": true, - "check": "client_id" + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2109,20 +2143,20 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Revocation request", "checks": [ { - "in": "url", - "is present": true, - "check": "response_type" + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -2132,20 +2166,20 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Revocation request", "checks": [ { "in": "body", - "is present": true, - "check regex": "client_assertion" + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -2155,20 +2189,20 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Token request", "checks": [ { "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -2178,20 +2212,20 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Token request", "checks": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -2201,20 +2235,20 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "UserInfo request", "checks": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "in": "head", + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2224,20 +2258,29 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] + } + ] } ] } @@ -2247,20 +2290,30 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] + } + ] } ] } @@ -2270,20 +2323,30 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] + } + ] } ] } @@ -2293,20 +2356,30 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -2316,20 +2389,30 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -2339,20 +2422,29 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] + } + ] } ] } @@ -2362,20 +2454,30 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] + } + ] } ] } @@ -2385,20 +2487,30 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -2408,20 +2520,30 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -2431,20 +2553,29 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] + } + ] } ] } @@ -2454,20 +2585,29 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -2477,20 +2617,20 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "message type": "Introspection request", "checks": [ { "in": "body", - "is present": true, - "check regex": "grant_type" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -2500,8 +2640,8 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" @@ -2512,8 +2652,8 @@ "checks": [ { "in": "body", - "is present": true, - "check regex": "token" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -2523,20 +2663,20 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", + "message type": "Token request", "checks": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -2546,33 +2686,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" - ] + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" } ] } @@ -2584,28 +2716,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", - "is in": [ - "consent", - "consent login" - ] + "check": "$.metadata.openid_relying_party.client_registration_types", + "is present": "true" } ] } @@ -2617,32 +2746,25 @@ }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.scope", - "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" - ] + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -2654,30 +2776,25 @@ }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -2689,8 +2806,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2706,7 +2823,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", + "check": "$.metadata.openid_relying_party.grant_types", "is present": "true" } ] @@ -2719,8 +2836,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2736,7 +2853,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -2749,8 +2866,8 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2766,7 +2883,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", "is present": "true" } ] @@ -2779,8 +2896,8 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2796,7 +2913,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", "is present": "true" } ] @@ -2809,8 +2926,8 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2826,7 +2943,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", + "check": "$.metadata.openid_relying_party.redirect_uris", "is present": "true" } ] @@ -2839,8 +2956,8 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2856,7 +2973,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.openid_relying_party.grant_types", "is present": "true" } ] @@ -2869,8 +2986,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2886,7 +3003,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "check": "$.metadata.openid_relying_party.jwks", "is present": "true" } ] @@ -2899,8 +3016,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2916,7 +3033,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", "is present": "true" } ] @@ -3229,8 +3346,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -3241,9 +3358,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_RP" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -3253,21 +3381,29 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_core_RP" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" + ] + } + ] } ] } @@ -3277,22 +3413,31 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } ] } ] @@ -3303,29 +3448,32 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" ] } ] @@ -3338,26 +3486,27 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" + "check": "$.prompt", + "is in": [ + "consent", + "consent login" ] } ] @@ -3370,24 +3519,61 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", "is not in": [ "none", "HS256", @@ -3405,8 +3591,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -3414,12 +3600,36 @@ "operations": [ { "message type": "Entity Configuration response RP", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_RP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "jwt check sig": "X_key_core_RP" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-client_id-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-client_id-type.json index f9edc9b..bee2efa 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-client_id-type.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-client_id-type.json @@ -25,7 +25,7 @@ { "in": "payload", "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-client_id-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-client_id-value.json new file mode 100644 index 0000000..c1344dd --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-client_id-value.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-grant_types-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-grant_types-value.json new file mode 100644 index 0000000..29f9976 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-grant_types-value.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-grant_types.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-grant_types.json index 04be8a9..d9a7c29 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-grant_types.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-grant_types.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-logo_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-logo_uri-type.json index a747c9a..1511b53 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-logo_uri-type.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-logo_uri-type.json @@ -25,7 +25,7 @@ { "in": "payload", "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-redirect_uris-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-redirect_uris-value.json new file mode 100644 index 0000000..c68625c --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-redirect_uris-value.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-redirect_uris.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-redirect_uris.json new file mode 100644 index 0000000..15117ab --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-redirect_uris.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.redirect_uris", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-signed_jwks_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-signed_jwks_uri.json new file mode 100644 index 0000000..c6f38bd --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-signed_jwks_uri.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json index c66a452..8e3fdda 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" @@ -19,14 +19,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -38,26 +44,32 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -69,53 +81,69 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -127,53 +155,69 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -185,20 +229,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -208,20 +266,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -231,25 +303,32 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -261,20 +340,478 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -284,20 +821,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -307,20 +858,34 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -330,8 +895,8 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -339,11 +904,25 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -353,20 +932,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] } ] } @@ -376,20 +969,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -399,25 +1006,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -429,25 +1043,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -459,25 +1080,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -489,25 +1117,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -519,25 +1154,32 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -549,15 +1191,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -566,8 +1208,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -579,15 +1221,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -596,8 +1238,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -609,15 +1251,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -626,8 +1268,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -639,15 +1281,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -656,8 +1298,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -669,25 +1311,25 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "check": "$.metadata", + "is present": "true" } ] } @@ -699,32 +1341,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -736,32 +1371,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -773,8 +1401,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -785,20 +1413,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -810,8 +1431,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -822,20 +1443,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -847,8 +1461,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -859,20 +1473,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -884,8 +1491,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -896,20 +1503,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -921,8 +1521,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -933,20 +1533,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -958,8 +1551,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -970,20 +1563,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -995,8 +1581,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1007,20 +1593,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -1032,8 +1611,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1044,20 +1623,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -1069,32 +1641,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -1106,32 +1671,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -1143,32 +1701,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -1180,32 +1731,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -1217,32 +1761,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -1254,8 +1791,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1266,20 +1803,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -1291,8 +1821,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1303,20 +1833,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -1328,8 +1851,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1340,20 +1863,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -1365,32 +1881,49 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration SA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_SA" } ] } @@ -1402,34 +1935,43 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1439,32 +1981,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1476,8 +2012,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -1488,20 +2024,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1513,32 +2043,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1550,32 +2073,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1587,32 +2103,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1624,32 +2133,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1661,32 +2163,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -1698,32 +2193,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1735,32 +2223,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1772,32 +2253,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1809,15 +2283,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1826,8 +2300,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1839,15 +2313,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1856,8 +2330,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1869,25 +2343,25 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -1899,8 +2373,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -1908,18 +2382,11 @@ "operations": [ { "message type": "Entity Configuration response SA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1929,27 +2396,20 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -1959,27 +2419,20 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1989,27 +2442,20 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2019,27 +2465,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2049,27 +2488,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2079,24 +2511,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -2109,24 +2541,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -2139,24 +2571,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -2169,24 +2601,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -2199,24 +2631,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -2229,24 +2661,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -2259,24 +2691,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -2289,24 +2721,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -2319,24 +2751,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -2349,25 +2781,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } + ] } ] } @@ -2379,25 +2818,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -2409,25 +2855,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -2439,25 +2892,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -2469,25 +2929,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -2499,8 +2966,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2517,12 +2984,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -2536,8 +3003,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2554,12 +3021,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -2573,8 +3040,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2591,12 +3058,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -2610,8 +3077,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -2633,7 +3100,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -2647,8 +3114,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -2670,7 +3137,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -2684,8 +3151,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2702,12 +3169,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -2758,8 +3225,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2776,12 +3243,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -2795,8 +3262,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -2818,7 +3285,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -2832,8 +3299,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -2855,7 +3322,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -2869,8 +3336,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -2892,7 +3359,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -2906,15 +3373,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -2929,7 +3396,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -2943,8 +3410,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -2966,7 +3433,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -2980,8 +3447,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -3003,7 +3470,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -3017,8 +3484,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -3040,7 +3507,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -3054,8 +3521,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -3077,7 +3544,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -3091,8 +3558,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -3114,7 +3581,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -3128,8 +3595,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3146,12 +3613,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -3165,8 +3632,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3183,12 +3650,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -3202,8 +3669,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3220,12 +3687,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -3239,8 +3706,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3262,7 +3729,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -3276,8 +3743,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -3299,7 +3766,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -3313,15 +3780,15 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -3331,15 +3798,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -3348,15 +3812,13 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -3377,11 +3839,8 @@ "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -3390,32 +3849,37 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -3427,25 +3891,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -3457,25 +3928,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -3487,25 +3965,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -3517,25 +4002,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } + ] } ] } @@ -3547,25 +4039,53 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -3577,25 +4097,53 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -3607,62 +4155,86 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { @@ -3736,30 +4308,6 @@ ], "result": "correct flow s1" } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response SA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } } ] } \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json index c66a452..8e3fdda 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" @@ -19,14 +19,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -38,26 +44,32 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -69,53 +81,69 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -127,53 +155,69 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -185,20 +229,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -208,20 +266,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -231,25 +303,32 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -261,20 +340,478 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -284,20 +821,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -307,20 +858,34 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -330,8 +895,8 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -339,11 +904,25 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -353,20 +932,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] } ] } @@ -376,20 +969,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -399,25 +1006,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -429,25 +1043,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -459,25 +1080,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -489,25 +1117,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -519,25 +1154,32 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -549,15 +1191,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -566,8 +1208,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -579,15 +1221,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -596,8 +1238,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -609,15 +1251,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -626,8 +1268,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -639,15 +1281,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -656,8 +1298,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -669,25 +1311,25 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "check": "$.metadata", + "is present": "true" } ] } @@ -699,32 +1341,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -736,32 +1371,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -773,8 +1401,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -785,20 +1413,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -810,8 +1431,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -822,20 +1443,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -847,8 +1461,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -859,20 +1473,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -884,8 +1491,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -896,20 +1503,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -921,8 +1521,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -933,20 +1533,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -958,8 +1551,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -970,20 +1563,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -995,8 +1581,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1007,20 +1593,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -1032,8 +1611,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1044,20 +1623,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -1069,32 +1641,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -1106,32 +1671,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -1143,32 +1701,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -1180,32 +1731,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -1217,32 +1761,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -1254,8 +1791,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1266,20 +1803,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -1291,8 +1821,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1303,20 +1833,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -1328,8 +1851,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1340,20 +1863,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -1365,32 +1881,49 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration SA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_SA" } ] } @@ -1402,34 +1935,43 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1439,32 +1981,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1476,8 +2012,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -1488,20 +2024,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1513,32 +2043,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1550,32 +2073,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1587,32 +2103,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1624,32 +2133,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1661,32 +2163,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -1698,32 +2193,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1735,32 +2223,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1772,32 +2253,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1809,15 +2283,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1826,8 +2300,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1839,15 +2313,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1856,8 +2330,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1869,25 +2343,25 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -1899,8 +2373,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -1908,18 +2382,11 @@ "operations": [ { "message type": "Entity Configuration response SA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1929,27 +2396,20 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -1959,27 +2419,20 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1989,27 +2442,20 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2019,27 +2465,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2049,27 +2488,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2079,24 +2511,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -2109,24 +2541,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -2139,24 +2571,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -2169,24 +2601,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -2199,24 +2631,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -2229,24 +2661,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -2259,24 +2691,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -2289,24 +2721,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -2319,24 +2751,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -2349,25 +2781,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } + ] } ] } @@ -2379,25 +2818,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -2409,25 +2855,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -2439,25 +2892,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -2469,25 +2929,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -2499,8 +2966,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2517,12 +2984,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -2536,8 +3003,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2554,12 +3021,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -2573,8 +3040,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2591,12 +3058,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -2610,8 +3077,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -2633,7 +3100,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -2647,8 +3114,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -2670,7 +3137,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -2684,8 +3151,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2702,12 +3169,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -2758,8 +3225,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2776,12 +3243,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -2795,8 +3262,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -2818,7 +3285,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -2832,8 +3299,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -2855,7 +3322,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -2869,8 +3336,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -2892,7 +3359,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -2906,15 +3373,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -2929,7 +3396,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -2943,8 +3410,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -2966,7 +3433,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -2980,8 +3447,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -3003,7 +3470,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -3017,8 +3484,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -3040,7 +3507,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -3054,8 +3521,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -3077,7 +3544,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -3091,8 +3558,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -3114,7 +3581,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -3128,8 +3595,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3146,12 +3613,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -3165,8 +3632,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3183,12 +3650,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -3202,8 +3669,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3220,12 +3687,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -3239,8 +3706,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3262,7 +3729,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -3276,8 +3743,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -3299,7 +3766,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -3313,15 +3780,15 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -3331,15 +3798,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -3348,15 +3812,13 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -3377,11 +3839,8 @@ "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -3390,32 +3849,37 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -3427,25 +3891,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -3457,25 +3928,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -3487,25 +3965,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -3517,25 +4002,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } + ] } ] } @@ -3547,25 +4039,53 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -3577,25 +4097,53 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -3607,62 +4155,86 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { @@ -3736,30 +4308,6 @@ ], "result": "correct flow s1" } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response SA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } } ] } \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response SA-metadata-logo_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response SA-metadata-logo_uri-type.json new file mode 100644 index 0000000..8d7be0e --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response SA-metadata-logo_uri-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-email-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-email-type.json new file mode 100644 index 0000000..9f50964 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-email-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-exp-type.json new file mode 100644 index 0000000..9dc463b --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-exp-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-iat-type.json new file mode 100644 index 0000000..7a3e99f --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-iat-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-organization_name-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-organization_name-type.json new file mode 100644 index 0000000..d93eb1c --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-organization_name-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-ref-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-ref-type.json new file mode 100644 index 0000000..0492fdd --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-ref-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sa_profile-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sa_profile-value.json new file mode 100644 index 0000000..5d89a04 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sa_profile-value.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sa_profile.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sa_profile.json new file mode 100644 index 0000000..c85ab82 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sa_profile.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-email-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-email-type.json new file mode 100644 index 0000000..99b0a98 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-email-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-exp-type.json new file mode 100644 index 0000000..6d2cd1a --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-exp-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-iat.json index e57a899..bc80421 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-iat.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-iat.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -25,12 +25,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "iat", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-organization_name-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-organization_name-type.json new file mode 100644 index 0000000..56588d8 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-organization_name-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-ref-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-ref-type.json new file mode 100644 index 0000000..d7006a9 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-ref-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sa_profile-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sa_profile-value.json new file mode 100644 index 0000000..46cd6d2 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sa_profile-value.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sa_profile.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sa_profile.json new file mode 100644 index 0000000..7b51f6a --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sa_profile.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json index b101dc1..b5bf5f3 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -19,14 +19,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] } ] } @@ -38,26 +44,32 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -69,20 +81,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -92,20 +118,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -115,25 +155,32 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -145,20 +192,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -168,20 +229,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -191,8 +266,8 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -200,11 +275,25 @@ "operations": [ { "message type": "Entity Statement response TA OP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -214,20 +303,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] } ] } @@ -237,20 +340,367 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -260,20 +710,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -283,20 +747,34 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -306,20 +784,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -329,25 +821,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -359,25 +858,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -389,25 +895,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -419,25 +932,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -449,25 +969,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -479,25 +1006,32 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -509,25 +1043,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -539,25 +1080,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -569,25 +1117,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -599,25 +1154,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -629,25 +1191,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -659,15 +1228,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -676,8 +1245,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -689,15 +1258,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -706,8 +1275,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -719,15 +1288,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -736,8 +1305,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -749,15 +1318,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -766,8 +1335,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -779,15 +1348,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -796,8 +1365,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata", + "is present": "true" } ] } @@ -809,15 +1378,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -826,8 +1395,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "check": "$.sub", + "is present": "true" } ] } @@ -839,15 +1408,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -856,8 +1425,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.constraints", + "is present": "true" } ] } @@ -869,15 +1438,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -886,8 +1455,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -899,15 +1468,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -916,8 +1485,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.trust_mark_issuers", + "is present": "true" } ] } @@ -929,8 +1498,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -946,8 +1515,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.constraints", + "is present": "true" } ] } @@ -959,8 +1528,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -976,8 +1545,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -989,8 +1558,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1006,8 +1575,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -1019,8 +1588,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1036,8 +1605,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -1049,8 +1618,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -1066,8 +1635,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -1079,15 +1648,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1096,8 +1665,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -1109,15 +1678,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1126,8 +1695,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -1139,8 +1708,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1151,20 +1720,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -1176,32 +1738,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -1213,32 +1768,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -1250,32 +1798,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -1287,32 +1828,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -1324,32 +1858,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -1361,32 +1888,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -1398,32 +1918,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -1435,32 +1948,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -1472,32 +1978,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -1509,34 +2008,21 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -1546,32 +2032,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does entity configuration TA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_TA" } ] } @@ -1583,34 +2062,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1620,34 +2085,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1657,8 +2108,8 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -1669,20 +2120,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -1694,8 +2139,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -1706,20 +2151,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -1731,32 +2170,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1768,32 +2200,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1805,32 +2230,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1842,32 +2260,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1879,32 +2290,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1916,32 +2320,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -1953,32 +2350,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -1990,32 +2380,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" } ] } @@ -2027,32 +2410,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -2064,32 +2440,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } @@ -2101,32 +2470,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2138,32 +2500,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2175,32 +2530,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2212,32 +2560,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2249,32 +2590,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -2286,15 +2620,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2303,8 +2637,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2316,15 +2650,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2333,8 +2667,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2346,15 +2680,15 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2363,8 +2697,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -2376,15 +2710,15 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2393,8 +2727,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -2406,15 +2740,15 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2423,8 +2757,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2436,15 +2770,15 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2453,8 +2787,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2466,15 +2800,15 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2483,8 +2817,8 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2496,15 +2830,15 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2513,8 +2847,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2526,15 +2860,15 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2543,8 +2877,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2556,8 +2890,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2573,8 +2907,8 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2586,8 +2920,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" @@ -2603,8 +2937,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -2616,15 +2950,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -2633,8 +2967,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2646,15 +2980,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -2663,8 +2997,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } @@ -2676,27 +3010,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2706,27 +3033,20 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2736,8 +3056,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -2745,18 +3065,11 @@ "operations": [ { "message type": "Entity Statement response TA OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2766,27 +3079,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2796,27 +3102,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2826,27 +3125,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2856,27 +3148,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Public Keys History response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2886,27 +3171,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2916,15 +3194,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2933,8 +3211,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2946,15 +3226,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2963,8 +3243,13 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2976,15 +3261,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2993,8 +3278,13 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3006,15 +3296,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -3023,8 +3313,10 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -3036,15 +3328,15 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -3053,8 +3345,13 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3066,8 +3363,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -3078,19 +3375,17 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3103,31 +3398,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -3140,31 +3430,29 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3177,31 +3465,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -3214,31 +3497,29 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3251,31 +3532,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -3288,31 +3564,29 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3325,31 +3599,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -3362,31 +3631,29 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3399,32 +3666,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -3436,32 +3696,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -3473,32 +3726,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -3510,32 +3756,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -3547,32 +3786,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -3584,32 +3816,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -3621,32 +3846,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -3658,32 +3876,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -3695,32 +3906,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -3732,32 +3936,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.constraints.max_path_length", + "is present": "true" } ] } @@ -3769,32 +3966,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } @@ -3806,8 +3996,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -3818,80 +4008,56 @@ "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "is present": "true" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "is present": "true" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -3902,15 +4068,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" } ] } @@ -3922,8 +4086,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3934,18 +4098,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" } ] } @@ -3957,8 +4116,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3969,18 +4128,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is present": "true" } ] } @@ -3992,8 +4146,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -4004,15 +4158,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } @@ -4024,8 +4176,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -4036,18 +4188,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "is present": "true" } ] } @@ -4059,8 +4206,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -4071,18 +4218,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "is present": "true" } ] } @@ -4094,27 +4236,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", + "is present": "true" } ] } @@ -4126,30 +4266,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is present": "true" } ] } @@ -4161,27 +4296,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is present": "true" } ] } @@ -4193,30 +4326,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is present": "true" } ] } @@ -4228,27 +4356,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is present": "true" } ] } @@ -4260,30 +4386,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "is present": "true" } ] } @@ -4295,27 +4416,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -4327,30 +4446,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is present": "true" } ] } @@ -4362,29 +4476,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -4396,27 +4506,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" - ] + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" } ] } @@ -4428,28 +4536,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" - ] + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -4461,28 +4566,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is present": "true" } ] } @@ -4494,28 +4596,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is present": "true" } ] } @@ -4527,28 +4626,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -4560,28 +4656,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -4593,27 +4686,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is present": "true" } ] } @@ -4625,27 +4716,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is present": "true" } ] } @@ -4657,30 +4746,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" - ] + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" } ] } @@ -4692,27 +4776,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" - ] + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -4724,27 +4806,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -4756,28 +4836,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is present": "true" } ] } @@ -4789,28 +4866,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is present": "true" } ] } @@ -4822,28 +4896,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -4855,28 +4926,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -4888,27 +4956,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is present": "true" } ] } @@ -4920,27 +4986,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -4953,26 +5023,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -4985,27 +5060,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -5018,26 +5097,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -5050,26 +5134,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } ] } ] @@ -5082,26 +5171,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -5114,27 +5208,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -5147,26 +5245,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -5179,27 +5282,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -5212,26 +5319,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -5244,26 +5356,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -5276,27 +5393,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -5309,27 +5430,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -5342,27 +5467,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -5375,27 +5504,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -5408,26 +5541,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -5440,27 +5578,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -5473,27 +5615,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -5506,27 +5652,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -5539,27 +5689,31 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } ] } ] @@ -5572,8 +5726,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5584,15 +5738,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -5605,25 +5763,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -5635,25 +5800,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -5665,25 +5837,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -5695,25 +5874,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -5725,25 +5911,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -5755,25 +5948,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -5785,25 +5985,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -5815,25 +6022,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -5845,25 +6059,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -5875,68 +6096,92 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" @@ -5947,13 +6192,17 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", + "is subset of": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -5965,8 +6214,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" @@ -5977,13 +6226,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is subset of": [ + "S256" + ] } ] } @@ -5995,8 +6246,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" @@ -6007,13 +6258,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", + "is subset of": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -6025,8 +6279,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -6037,13 +6291,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -6055,8 +6312,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6067,13 +6324,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is present": "true" + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6085,8 +6345,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6097,13 +6357,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6115,8 +6378,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" @@ -6127,13 +6390,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" + ] } ] } @@ -6145,8 +6411,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" @@ -6157,13 +6423,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" + ] } ] } @@ -6175,8 +6443,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -6187,13 +6455,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -6205,8 +6475,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" @@ -6217,13 +6487,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -6235,8 +6510,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" @@ -6247,13 +6522,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" + ] } ] } @@ -6265,8 +6542,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -6277,13 +6554,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -6295,8 +6574,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6307,13 +6586,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6325,8 +6607,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -6337,13 +6619,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6355,8 +6640,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -6367,13 +6652,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -6385,8 +6673,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6397,13 +6685,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6415,8 +6706,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" @@ -6427,13 +6718,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is present": "true" + "is subset of": [ + "automatic" + ] } ] } @@ -6445,8 +6738,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" @@ -6457,13 +6750,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -6475,7 +6771,7 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ @@ -6487,13 +6783,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "is subset of": [ + "code" + ] } ] } @@ -6505,8 +6803,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -6517,13 +6815,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6535,8 +6836,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -6547,13 +6848,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -6565,8 +6868,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6577,13 +6880,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" + ] } ] } @@ -6595,8 +6900,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" @@ -6607,13 +6912,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -6625,8 +6932,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -6637,13 +6944,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6655,8 +6965,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -6667,13 +6977,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -6685,8 +6997,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6697,13 +7009,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6715,8 +7030,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" @@ -6727,13 +7042,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is present": "true" + "is subset of": [ + "automatic" + ] } ] } @@ -6746,7 +7063,7 @@ { "test": { "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" @@ -6757,13 +7074,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "is subset of": [ + "code" + ] } ] } @@ -6775,8 +7094,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" @@ -6787,13 +7106,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" + ] } ] } @@ -6805,8 +7127,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -6817,13 +7139,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6835,8 +7160,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -6847,13 +7172,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -6865,8 +7193,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6877,13 +7205,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6895,8 +7226,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" @@ -6907,13 +7238,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -6925,8 +7258,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -6937,13 +7270,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6955,8 +7291,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -6967,13 +7303,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -6985,21 +7324,30 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -7009,8 +7357,8 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" @@ -7023,7 +7371,16 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } @@ -7033,8 +7390,8 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" @@ -7047,7 +7404,16 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } @@ -7187,8 +7553,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -7196,12 +7562,60 @@ "operations": [ { "message type": "Entity Configuration response TA", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_TA" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_TA" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_TA" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json index 3da2dec..53944a9 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -19,14 +19,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] } ] } @@ -38,26 +44,32 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -69,20 +81,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -92,20 +118,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -115,25 +155,32 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -145,20 +192,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -168,20 +229,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -191,8 +266,8 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -200,11 +275,25 @@ "operations": [ { "message type": "Entity Statement response TA OP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -214,20 +303,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] } ] } @@ -237,20 +340,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -260,20 +377,367 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -283,20 +747,34 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -306,20 +784,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -329,25 +821,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -359,25 +858,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -389,25 +895,143 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -419,25 +1043,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -449,25 +1080,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -479,25 +1117,32 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -509,25 +1154,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -539,25 +1191,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -569,15 +1228,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -586,8 +1245,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -599,15 +1258,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -616,8 +1275,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -629,15 +1288,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -646,8 +1305,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -659,15 +1318,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -676,8 +1335,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -689,15 +1348,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -706,8 +1365,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata", + "is present": "true" } ] } @@ -719,15 +1378,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -736,8 +1395,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -749,15 +1408,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -766,8 +1425,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.constraints", + "is present": "true" } ] } @@ -779,15 +1438,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -796,8 +1455,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -809,15 +1468,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -826,8 +1485,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "check": "$.trust_mark_issuers", + "is present": "true" } ] } @@ -839,8 +1498,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -856,8 +1515,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.constraints", + "is present": "true" } ] } @@ -869,8 +1528,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -886,8 +1545,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -899,8 +1558,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -916,8 +1575,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -929,8 +1588,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -946,8 +1605,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -959,8 +1618,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -975,9 +1634,9 @@ "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -989,8 +1648,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1006,8 +1665,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -1019,8 +1678,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1036,8 +1695,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -1049,8 +1708,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1066,8 +1725,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.trust_marks", + "is present": "true" } ] } @@ -1079,8 +1738,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1096,8 +1755,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.constraints", + "is present": "true" } ] } @@ -1109,15 +1768,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -1126,8 +1785,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -1139,32 +1798,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -1176,32 +1828,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -1213,32 +1858,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -1250,32 +1888,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -1287,32 +1918,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -1324,32 +1948,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -1361,32 +1978,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -1398,34 +2008,21 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -1435,32 +2032,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does entity configuration TA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is": "X_url_TA" } ] } @@ -1472,34 +2062,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1509,34 +2085,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1546,8 +2108,8 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -1558,20 +2120,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -1583,32 +2139,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -1620,32 +2170,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1657,32 +2200,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1694,32 +2230,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1731,32 +2260,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1768,32 +2290,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1805,32 +2320,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -1842,32 +2350,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -1879,32 +2380,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" } ] } @@ -1916,32 +2410,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -1953,32 +2440,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } @@ -1990,32 +2470,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2027,32 +2500,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2064,32 +2530,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2101,32 +2560,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2138,32 +2590,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -2175,32 +2620,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2212,32 +2650,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2249,32 +2680,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -2286,15 +2710,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2303,8 +2727,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -2316,15 +2740,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2333,8 +2757,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2346,15 +2770,15 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2363,8 +2787,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2376,15 +2800,15 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2393,8 +2817,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2406,15 +2830,15 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2423,8 +2847,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2436,15 +2860,15 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2453,8 +2877,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2466,15 +2890,15 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2483,8 +2907,8 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2496,15 +2920,15 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2513,8 +2937,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -2526,15 +2950,15 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -2543,8 +2967,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2556,15 +2980,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -2573,8 +2997,8 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } @@ -2586,27 +3010,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2616,27 +3033,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2646,8 +3056,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -2655,18 +3065,11 @@ "operations": [ { "message type": "Entity Statement response TA OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2676,27 +3079,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2706,27 +3102,20 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2736,27 +3125,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2766,27 +3148,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Public Keys History response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2796,27 +3171,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2826,15 +3194,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2843,8 +3211,10 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2856,15 +3226,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2873,8 +3243,13 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2886,15 +3261,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2903,8 +3278,13 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2916,15 +3296,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2933,8 +3313,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2946,15 +3328,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2963,8 +3345,13 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2976,15 +3363,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2993,8 +3380,13 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3006,8 +3398,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -3023,8 +3415,10 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -3036,8 +3430,8 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -3053,8 +3447,13 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3066,31 +3465,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -3103,31 +3497,29 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3140,31 +3532,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -3177,31 +3564,29 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3214,31 +3599,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -3251,31 +3631,29 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3288,32 +3666,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -3325,32 +3696,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -3362,32 +3726,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -3399,32 +3756,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -3436,32 +3786,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -3473,32 +3816,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -3510,32 +3846,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -3547,32 +3876,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -3584,32 +3906,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -3621,32 +3936,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.constraints.max_path_length", + "is present": "true" } ] } @@ -3658,32 +3966,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } @@ -3695,32 +3996,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "is present": "true" } ] } @@ -3732,32 +4026,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "is present": "true" } ] } @@ -3769,32 +4056,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" } ] } @@ -3806,8 +4086,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3818,80 +4098,56 @@ "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is present": "true" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -3902,15 +4158,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } @@ -3922,8 +4176,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -3934,18 +4188,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "is present": "true" } ] } @@ -3957,8 +4206,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -3969,18 +4218,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "is present": "true" } ] } @@ -3992,8 +4236,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -4004,15 +4248,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", + "is present": "true" } ] } @@ -4024,8 +4266,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -4036,18 +4278,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is present": "true" } ] } @@ -4059,8 +4296,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -4071,18 +4308,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is present": "true" } ] } @@ -4094,27 +4326,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is present": "true" } ] } @@ -4126,30 +4356,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is present": "true" } ] } @@ -4161,27 +4386,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "is present": "true" } ] } @@ -4193,30 +4416,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -4228,27 +4446,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is present": "true" } ] } @@ -4260,30 +4476,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -4295,27 +4506,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" } ] } @@ -4327,30 +4536,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -4362,29 +4566,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is present": "true" } ] } @@ -4396,27 +4596,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" - ] + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is present": "true" } ] } @@ -4428,28 +4626,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -4461,28 +4656,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -4494,28 +4686,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is present": "true" } ] } @@ -4527,28 +4716,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is present": "true" } ] } @@ -4560,28 +4746,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" - ] + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" } ] } @@ -4593,27 +4776,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" - ] + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -4625,27 +4806,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -4657,30 +4836,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" - ] + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is present": "true" } ] } @@ -4692,27 +4866,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" - ] + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is present": "true" } ] } @@ -4724,27 +4896,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -4756,28 +4926,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -4789,28 +4956,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is present": "true" } ] } @@ -4822,8 +4986,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -4834,15 +4998,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -4855,8 +5023,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -4867,15 +5035,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -4888,26 +5060,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -4920,27 +5097,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -4953,26 +5134,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } ] } ] @@ -4985,27 +5171,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -5018,26 +5208,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -5050,26 +5245,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -5082,26 +5282,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -5114,27 +5319,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -5147,26 +5356,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -5179,27 +5393,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -5212,26 +5430,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -5244,26 +5467,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -5276,27 +5504,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -5309,27 +5541,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -5342,27 +5578,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -5375,27 +5615,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -5408,26 +5652,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -5440,27 +5689,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } ] } ] @@ -5473,27 +5726,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -5506,27 +5763,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -5539,27 +5800,31 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -5572,8 +5837,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5584,15 +5849,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -5605,25 +5874,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -5635,25 +5911,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -5665,25 +5948,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -5695,25 +5985,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -5725,25 +6022,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -5755,25 +6059,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -5785,85 +6096,113 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", + "is subset of": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -5875,25 +6214,27 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is subset of": [ + "S256" + ] } ] } @@ -5905,8 +6246,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" @@ -5917,13 +6258,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", + "is subset of": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -5935,8 +6279,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -5947,13 +6291,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -5965,8 +6312,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -5977,13 +6324,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -5995,8 +6345,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6007,13 +6357,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6025,8 +6378,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" @@ -6037,13 +6390,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" + ] } ] } @@ -6055,8 +6411,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" @@ -6067,13 +6423,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" + ] } ] } @@ -6085,8 +6443,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -6097,13 +6455,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -6115,8 +6475,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" @@ -6127,13 +6487,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -6145,8 +6510,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" @@ -6157,13 +6522,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "is present": "true" + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" + ] } ] } @@ -6175,8 +6542,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -6187,13 +6554,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", - "is present": "true" + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -6205,8 +6574,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6217,13 +6586,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6235,8 +6607,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -6247,13 +6619,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6265,8 +6640,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -6277,13 +6652,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -6295,8 +6673,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6307,13 +6685,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6325,25 +6706,27 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -6355,25 +6738,28 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -6385,25 +6771,27 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -6415,8 +6803,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -6427,13 +6815,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6445,8 +6836,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -6457,13 +6848,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -6475,8 +6868,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6487,13 +6880,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" + ] } ] } @@ -6505,8 +6900,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" @@ -6517,13 +6912,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -6535,8 +6932,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -6547,13 +6944,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6565,8 +6965,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -6577,13 +6977,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -6595,8 +6997,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6607,13 +7009,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6625,25 +7030,27 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -6655,25 +7062,27 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -6685,25 +7094,28 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" + ] } ] } @@ -6715,8 +7127,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -6727,13 +7139,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6745,8 +7160,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -6757,13 +7172,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -6775,8 +7193,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6787,13 +7205,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6805,8 +7226,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" @@ -6817,13 +7238,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -6835,8 +7258,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -6847,13 +7270,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6865,8 +7291,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -6877,13 +7303,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -6895,8 +7324,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -6907,13 +7336,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -6925,25 +7357,28 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -6955,25 +7390,28 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is present": "true" + "check": "$.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -7054,30 +7492,6 @@ ], "result": "correct flow s1" } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response TA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } } ] } \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-logo_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-logo_uri-type.json new file mode 100644 index 0000000..2d8f08a --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-logo_uri-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-email-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-email-type.json new file mode 100644 index 0000000..02bc1b6 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-email-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-exp-type.json new file mode 100644 index 0000000..6a13711 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-exp-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-iat-type.json new file mode 100644 index 0000000..f653585 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-iat-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-logo_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-logo_uri.json index 21764f6..747d549 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-logo_uri.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-logo_uri.json @@ -19,13 +19,20 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-organization_name-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-organization_name-type.json new file mode 100644 index 0000000..d93fadc --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-organization_name-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ref-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ref-type.json new file mode 100644 index 0000000..2adac34 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ref-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-email-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-email-type.json new file mode 100644 index 0000000..4832aad --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-email-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-exp-type.json new file mode 100644 index 0000000..7b88bb4 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-exp-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-iat-type.json new file mode 100644 index 0000000..abab7e2 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-iat-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-logo_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-logo_uri.json index 8cc6145..c59cc2b 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-logo_uri.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-logo_uri.json @@ -19,13 +19,20 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-organization_name-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-organization_name-type.json new file mode 100644 index 0000000..b609d90 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-organization_name-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ref-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ref-type.json new file mode 100644 index 0000000..50a9de4 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ref-type.json @@ -0,0 +1,46 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/testplan.csv b/testplans/spid-cie-oidc/testplan.csv index ffbc97d..05a0532 100644 --- a/testplans/spid-cie-oidc/testplan.csv +++ b/testplans/spid-cie-oidc/testplan.csv @@ -188,13 +188,32 @@ x,OP-Entity Configuration response-metadata-introspection_endpoint,OP Metadata,E x,OP-Entity Configuration response-metadata-issuer-supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the issuer parameter in the OP metadata ('openid_provider' type) identifies the OP, not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain a correct issuer parameter,In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP,OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.issuer | [""X_url_OP""]","The OP metadata of type 'openid_provider' must contain the parameter 'issuer' and it must contain an HTTPS URL that uniquely identifies the OP, without query of fragment components.",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,config has issuer,,,,"1.3.0, 1.3.1, 1.3.2","The fact of not having fragments or query components is written in the link (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) in the description of the claim. Maybe it could be made more clear. external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-issuer-type,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the issuer parameter in the OP metadata ('openid_provider' type) is an URL with no query or fragment component, not Compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the OP metadata contain correct type issuer parameter,In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component,OP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_provider | {""type"":""object"", ""properties"":{""issuer"":{""type"":""string"", ""format"":""uri""}},""required"":[""issuer""]}","The OP metadata of type 'openid_provider' must contain the parameter 'issuer' and it must contain an HTTPS URL that uniquely identifies the OP, without query of fragment components.",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,L,Type mismatch,,config has issuer,,,,"1.3.0, 1.3.1, 1.3.2","The fact of not having fragments or query components is written in the link (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) in the description of the claim. Maybe it could be made more clear. external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-logo_uri,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claimin the OP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the logo_uri claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The OP Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,"Manca parametro federation_entity, ma รจ presente in openid_provider.logo_uri" -x,OP-Entity Configuration response-metadata-logo_uri-type,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri parameter in the OP metadata ('openid_provider' type) is an URL, not Compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the OP metadata contain correct type logo_uri claim,In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL,OP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri""}},""required"":[""logo_uri""]})",The OP Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed,"[MODIFICATO] Prima F: Manca parametro federation entity, ma si trova in openid_provider.logo_uri" +x,OP-Entity Configuration response-metadata-logo_uri-type,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri parameter in the OP metadata ('openid_provider' type) is an URL, not Compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the OP metadata contain correct type logo_uri claim,In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL,OP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"": ""^(https?://).*\\.svg$""}},""required"":[""logo_uri""]}",The OP Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed,"[MODIFICATO] Prima F: Manca parametro federation entity, ma si trova in openid_provider.logo_uri" x,OP-Entity Configuration response-metadata-organization_name,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the organization_name claim in the OP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the organization_name claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The OP Metadata of type 'federation_entity' MUST contain organization_name,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,,F,P,passed,"Manca parametro federation_entity, ma รจ presente in openid_provider.organization_name" x,OP-Entity Configuration response-metadata-policy_uri,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the policy_uri claim in the OP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the policy_uri claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The OP Metadata of type 'federation_entity' MUST contain policy_uri,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,Manca parametro federation_entity e policy_uri x,OP-Entity Configuration response-metadata-request_object_signing_alg_values_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'request_object_signing_alg_values_supported' parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_object_signing_alg_values_supported,The OP metadata of type 'openid_provider' must contain the parameter 'request_object_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-request_object_signing_alg_values_supported-not_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'request_object_signing_alg_values_supported' parameter does not contain ['none', 'HS256', 'HS384', 'HS512'], not Compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_object_signing_alg_values_supported | [""none"", ""HS256"", ""HS384"", ""HS512""]",The OP metadata of type 'openid_provider' must contain the parameter 'request_object_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-request_object_signing_alg_values_supported-supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'request_object_signing_alg_values_supported' parameter is ['RS256', 'RS512'], not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_object_signing_alg_values_supported[0] | [""RS256"", ""RS512""]",The OP metadata of type 'openid_provider' must contain the parameter 'request_object_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Entity Configuration response-metadata-response_modes_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the response_modes_supported parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.response_modes_supported,"The OP metadata of type 'openid_provider' must contain the parameter 'response_modes_supported' and it must be set to [form_post, query]",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'token_endpoint_auth_methods_supported' parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_methods_supported,The OP metadata of type 'openid_provider' must contain the parameter 'token_endpoint_auth_methods_supported',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported-value,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'token_endpoint_auth_methods_supported' parameter in the OP metadata ('openid_provider' type) is ""private_key_jwt"", not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_methods_supported[0] | [""private_key_jwt""]","The OP metadata of type 'openid_provider' must contain the parameter 'token_endpoint_auth_methods_supported' with value ""private_key_jwt""",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported,The OP Metadata of type 'openid_provider' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-not_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim,"In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported | [""none"", ""HS256"", ""HS384"", ""HS512""]",The OP Metadata of type 'openid_provider' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is 'one_of': ['RS256', 'RS512'], not compliant if it is empty or is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim,"In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0] | [""RS256"", ""RS512""]",The OP Metadata of type 'openid_provider' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_authentication_signing_alg_values_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the request_authentication_signing_alg_values_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_authentication_signing_alg_values_supported,The OP Metadata of type 'openid_provider' MUST contain request_authentication_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,request_authentication_signing_alg_values_supported NOT PRESENT +x,OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported-not_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_authentication_signing_alg_values_supported claim does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim,"In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_authentication_signing_alg_values_supported[0] | [""none"", ""HS256"", ""HS384"", ""HS512""]",The OP Metadata of type 'openid_provider' MUST contain request_authentication_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,request_authentication_signing_alg_values_supported NOT PRESENT +x,OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported-supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_authentication_signing_alg_values_supported claim is 'one_of': ['RS256', 'RS512'], not compliant if it is empty or is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim,"In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_authentication_signing_alg_values_supported[0] | [""RS256"", ""RS512""]",The OP Metadata of type 'openid_provider' MUST contain request_authentication_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,request_authentication_signing_alg_values_supported NOT PRESENT +x,OP-Entity Configuration response-metadata-claims_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the claims_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the claims_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.claims_supported,The OP Metadata of type 'openid_provider' MUST contain claims_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-claims_parameter_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the claims_parameter_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the claims_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.claims_parameter_supported,The OP Metadata of type 'openid_provider' MUST contain claims_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-claims_parameter_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the claims_parameter_supported claim has value true, not compliant if it is empty or is missing",JWT parameter values,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of claims_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.claims_parameter_supported.value | true,The OP Metadata of type 'openid_provider' MUST contain claims_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,claim:true instead of claims: [value: true] +x,OP-Entity Configuration response-metadata-request_parameter_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_parameter_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the request_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_parameter_supported,The OP Metadata of type 'openid_provider' MUST contain request_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-request_parameter_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_parameter_supported claim has value true, not compliant if it is empty or is missing",JWT parameter values,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of request_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_parameter_supported.value | true,The OP Metadata of type 'openid_provider' MUST contain request_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,claim:true instead of claims: [value: true] +x,OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authorization_response_iss_parameter_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the authorization_response_iss_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.authorization_response_iss_parameter_supported,The OP Metadata of type 'openid_provider' MUST contain authorization_response_iss_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,Missing authorization_response_iss_parameter_supported +x,OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authorization_response_iss_parameter_supported claim has value true, not compliant if it is empty or is missing",JWT parameter values,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.authorization_response_iss_parameter_supported.value | true,The OP Metadata of type 'openid_provider' MUST contain authorization_response_iss_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,Missing authorization_response_iss_parameter_supported +x,OP-Entity Configuration response-metadata-client_registration_types_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the client_registration_types_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the client_registration_types_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.client_registration_types_supported,The OP Metadata of type 'openid_provider' MUST contain client_registration_types_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-client_registration_types_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the client_registration_types_supported claim has value true, not compliant if it is empty or is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of client_registration_types_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.,OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.client_registration_types_supported[0] | [""automatic""]",The OP Metadata of type 'openid_provider' MUST contain client_registration_types_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-request_authentication_methods_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_authentication_methods_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the request_authentication_methods_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_authentication_methods_supported,The OP Metadata of type 'openid_provider' MUST contain request_authentication_methods_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-request_authentication_methods_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_authentication_methods_supported claim has value true, not compliant if it is empty or is missing",JWT parameter type,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of request_authentication_methods_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.,OP,,"Entity Configuration response | body | [^\r\n]* | payload | .metadata.openid_provider.request_authentication_methods_supported | {""type"": ""object"",""additionalProperties"": {""type"": ""array"",""items"": {""type"": ""string"",""const"": ""request_object""}}}",The OP Metadata of type 'openid_provider' MUST contain request_authentication_methods_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-response_modes_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the response_modes_supported parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.response_modes_supported,"The OP metadata of type 'openid_provider' must contain the parameter 'response_modes_supported' and it must be set to [form_post, query]",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-response_modes_supported-supported-value,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the response_modes_supported parameter in the OP metadata ('openid_provider' type) is [form_post, query], not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.response_modes_supported[0] | [""form_post"", ""query""]","The OP metadata of type 'openid_provider' must contain the parameter 'response_modes_supported' and it must be set to [form_post, query]",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-response_types_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the response_types_supported parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the response_types_supported claim,In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.response_types_supported,The OP metadata of type 'openid_provider' must contain the parameter 'response_types_supported' and it must be set to 'code',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,Config has response_types_supported,,,,"1.3.10, 1.3.11","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-response_types_supported-supported-value,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the response_types_supported parameter in the OP metadata ('openid_provider' type) is 'code', not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct response_types_supported claim,In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code',OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.response_types_supported[0] | [""code""]",The OP metadata of type 'openid_provider' must contain the parameter 'response_types_supported' and it must be set to 'code',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,Config has response_types_supported,,,,"1.3.10, 1.3.11","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, @@ -220,9 +239,10 @@ x,OP-Entity Configuration response-trust_marks-type,OP's Entity Configuration,En x,AA-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",AA,,"Entity Configuration response AA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, x,RP-Entity Configuration response-Entity_Configuration-wrong-signature,Wrongly signed OP's Entity Configuration,Entity Configuration response,Entity Configuration response containing a wrongly-signed Entity Configuration,"Compliant if the Authentication response does not contain the code parameter, not compliant otherwise",/ manual: check signature,Wrong Input,Entity Configuration response,Does the RP check the signature in the OP Entity Configuration,"In order to check if the RP correctly verifies the signature of an OP's Entity Configuration and does not trust arbitrary OP, the latter sends as the Entity Configuration response a wrongly signed Entity Configuration and waits for the RP. After this an authentication request is sent and, if the response contains the code, the RP is not checking the authenticity of the EC",RP,,,"For each EC of the OPs, the RP validates the signature by using the public key obtained in the Entity Statement released by the Trust Anchor.",SPID_CIE_OIDC#Metadata-Retrieval-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#relying-party,OIDC Federation,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] code รจ presente x,RP-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",RP,,"Entity Configuration response RP | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,SA-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SA,,"Entity Configuration response SA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,TA-Entity Configuration response TA-metadata-contacts,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'contacts' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the contacts parameter,In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The TA and SA metadata must contain the parameter contacts,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-metadata-client_id,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'client_id' parameter in the RP metadata ('openid_relying_party' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'client_id' parameter,In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.client_id,The RP metadata of type 'openid_relying_party' must contain the parameter client_id and it must contain an HTTPS URL that uniquely identifies the RP,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-client_id-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'client_id' parameter in the RP metadata is an HTTPS URL, not Compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain correct type of 'client_id' parameter,In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_relying_party | {""type"":""object"", ""properties"":{""client_id"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""client_id""]})",The RP metadata of type 'openid_relying_party' must contain the parameter client_id and it must contain an HTTPS URL that uniquely identifies the RP,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] HTTP non HTTPS +x,RP-Entity Configuration response-metadata-client_id-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'client_id' parameter in the RP metadata is an HTTPS URL, not Compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain correct type of 'client_id' parameter,In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_relying_party | {""type"":""object"", ""properties"":{""client_id"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""client_id""]}",The RP metadata of type 'openid_relying_party' must contain the parameter client_id and it must contain an HTTPS URL that uniquely identifies the RP,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] HTTP non HTTPS +x,RP-Entity Configuration response-metadata-client_id-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'client_id' parameter in the RP metadata uniquely identifies the RP, not Compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does the RP metadata contain correct value of 'client_id' parameter,In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP,RP,,Entity Configuration response | body | [^\n\r]* | payload | metadata.openid_relying_party.client_id | x_https_RP,The RP metadata of type 'openid_relying_party' must contain the parameter client_id and it must contain an HTTPS URL that uniquely identifies the RP,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] HTTP non HTTPS x,RP-Entity Configuration response-metadata-client_registration_types,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'client_registration_types' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'client_registration_types' parameter,In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.client_registration_types,The RP metadata of type 'openid_relying_party' must contain the parameter client_registration_types and it has to be set to 'automatic'.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-metadata-client_registration_types-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'client_registration_types' parameter in the RP metadata is 'automatic'. Not Compliant otherwise,JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'client_registration_types' parameter,In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic',RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.client_registration_types[0] | [""automatic""]",The RP metadata of type 'openid_relying_party' must contain the parameter client_registration_types and it has to be set to 'automatic'.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-metadata-contacts,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the contacts claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the contacts claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The RP Metadata of type 'federation_entity' MUST contain contacts,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,"[PRIMA] Manca parametro federation_entity, ma รจ presente in openid_relying_party.contacts" @@ -236,12 +256,18 @@ x,RP-Entity Configuration response-metadata-id_token_encrypted_response_alg-not_ x,RP-Entity Configuration response-metadata-id_token_encrypted_response_alg-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_encrypted_response_alg' parameter in the RP metadata is ['RSA-OAEP', 'RSA-OAEP-256']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_alg | [""RSA-OAEP"", ""RSA-OAEP-256""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro id_token_encrypted_response_alg x,RP-Entity Configuration response-metadata-id_token_encrypted_response_enc,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'id_token_encrypted_response_enc' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter,In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_enc,The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_enc and it has to contain the content encryption algorithms. This parameter is required only if the id_token_encrypted_response_alg is given,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,This parameter is required only if the id_token_encrypted_response_alg is given,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro id_token_encrypted_response_enc x,RP-Entity Configuration response-metadata-id_token_encrypted_response_enc-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_encrypted_response_enc' parameter in the RP metadata is ['A128CBC-HS256', 'A256CBC-HS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter,"In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_enc | [""A128CBC-HS256"", ""A256CBC-HS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_enc and it has to contain the content encryption algorithms. This parameter is required only if the id_token_encrypted_response_alg is given,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,This parameter is required only if the id_token_encrypted_response_alg is given,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro id_token_encrypted_response_enc +x,RP-Entity Configuration response-metadata-redirect_uris,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'redirect_uris' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'redirect_uris' parameter,In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.redirect_uris,The RP metadata of type 'openid_relying_party' must contain the parameter redirect_uris,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, +x,RP-Entity Configuration response-metadata-redirect_uris-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'redirect_uris' parameter in the RP metadata ('openid_relying_party' type) contains an HTTPS. Not Compliant otherwise,JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain an HTTPS 'redirect_uris' parameter,In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.,RP,,"Entity Configuration response | body | [^\r\n]* | payload | .metadata.openid_relying_party | {""type"": ""object"",""properties"": {""redirect_uris"": {""type"": ""array"",""items"": {""type"": ""string"",""format"": ""uri"",""pattern"": ""^https://.*$""}}},""required"": [""redirect_uris""]}",The RP metadata of type 'openid_relying_party' must contain the parameter redirect_uris of type HTTPS,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,F,failed,HTTP non HTTPS +x,RP-Entity Configuration response-metadata-grant_types,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'grant_types' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'grant_types' parameter,In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.grant_types,The RP metadata of type 'openid_relying_party' must contain the parameter grant_types,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, +x,RP-Entity Configuration response-metadata-grant_types-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'grant_types' parameter in the RP metadata ('openid_relying_party' type) contains authorization_code or refresh_token. Not Compliant otherwise,JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token,In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.,RP,,"Entity Configuration response | body | [^\r\n]* | payload | .metadata.openid_relying_party | {""type"": ""object"",""properties"": {""grant_types"": {""type"": ""array"",""items"": {""type"": ""string"",""enum"": [""authorization_code"", ""refresh_token""]}}},""required"": [""grant_types""]}",The RP metadata of type 'openid_relying_party' must contain the correct parameter grant_types,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, +x,RP-Entity Configuration response-metadata-jwks,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'jwks' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'jwks' parameter,In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.jwks,The RP metadata of type 'openid_relying_party' must contain the parameter jwks,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, +x,RP-Entity Configuration response-metadata-signed_jwks_uri,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'signed_jwks_uri' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'signed_jwks_uri' parameter,In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.signed_jwks_uri,The RP metadata of type 'openid_relying_party' must contain the parameter signed_jwks_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, x,RP-Entity Configuration response-metadata-id_token_signed_response_alg,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'id_token_signed_response_alg' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'id_token_signed_response_alg' parameter,In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_signed_response_alg,The RP metadata of type 'openid_relying_party' must contain the parameter id_token_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-metadata-id_token_signed_response_alg-not_supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_signed_response_alg' parameter in the RP metadata does not contain ['none', 'HS256', 'HS384', 'HS512']. Not Compliant otherwise",JWT parameter not in JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_signed_response_alg | [""none"", ""HS256"", ""HS384"", ""HS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-metadata-id_token_signed_response_alg-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_signed_response_alg' parameter in the RP metadata is ['RS256', 'RS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'id_token_signed_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_signed_response_alg | [""RS256"", ""RS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-metadata-jwks,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'jwks' parameter in the RP metadata ('openid_relying_party' type) is present, not Compliant if is absent",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'jwks' parameter,"In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification",RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.jwks,The RP metadata of type 'openid_relying_party' must contain the parameter jwks,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-metadata-logo_uri,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the logo_uri claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The RP Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e logo_uri -x,RP-Entity Configuration response-metadata-logo_uri-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain correct type logo_uri claim,In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""logo_uri""]})",The RP Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[MODIFICATO] Prima: Manca parametro federation_entity e logo_uri - [PRIMA] HTTP non HTTPS +x,RP-Entity Configuration response-metadata-logo_uri-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain correct type logo_uri claim,In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^(https?://).*\\.svg$""}},""required"":[""logo_uri""]}",The RP Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,P,passed,[MODIFICATO] Prima: Manca parametro federation_entity e logo_uri - [PRIMA] HTTP non HTTPS x,RP-Entity Configuration response-metadata-organization_name,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the organization_name claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the organization_name claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The RP Metadata of type 'federation_entity' MUST contain organization_name,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e organization_name x,RP-Entity Configuration response-metadata-policy_uri,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the policy_uri claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the policy_uri claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The RP Metadata of type 'federation_entity' MUST contain policy_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e policy_uri x,RP-Entity Configuration response-metadata-token_endpoint_auth_method,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'token_endpoint_auth_method' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'token_endpoint_auth_method' parameter,In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.token_endpoint_auth_method,The RP metadata of type 'openid_relying_party' must contain the parameter token_endpoint_auth_method and it has to be set to 'private_key_jwt'.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, @@ -259,45 +285,54 @@ x,RP-Entity Configuration response-response_types-type,RP metadata,Entity Config x,RP-Entity Configuration response-response_types-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'response_types' parameter in the RP metadata contains the value 'code'. Not Compliant otherwise,JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain in the 'response_types' the value 'code',In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code',RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.response_types[0] | [""code""]",The RP metadata of type 'openid_relying_party' must contain the parameter response_types and it has to be a JSON array containing the value 'code',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-trust_marks,RP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the RP's entity configuration contain the trust_marks parameter,"To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.",RP,,Entity Configuration response | body | [^\r\n]* | payload | trust_marks,Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-trust_marks-type,RP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP's entity configuration contain a correct trust_marks parameter,"To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array",RP,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_marks"": {""type"": ""array""}}, ""required"": [""trust_marks""]}",Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,SA-Entity Configuration response-metadata-contacts,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'contacts' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the contacts parameter,In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The TA and SA metadata must contain the parameter contacts,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-federation_fetch_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_fetch_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_fetch_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_fetch_endpoint,The TA and SA metadata must contain the parameter federation_fetch_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-federation_list_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_list_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_list_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_list_endpoint,The TA and SA metadata must contain the parameter federation_list_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-federation_resolve_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_resolve_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_resolve_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_resolve_endpoint,The TA and SA metadata must contain the parameter federation_resolve_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-federation_trust_mark_status_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_trust_mark_status_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_trust_mark_status_endpoint,The TA and SA metadata must contain the parameter federation_trust_mark_status_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-homepage_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'homepage_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the homepage_uri parameter,In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.homepage_uri,The TA and SA metadata must contain the parameter homepage_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.28,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-logo_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'logo_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the logo_uri parameter,In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The TA and SA metadata must contain the parameter logo_uri and it must be in SVG format,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-organization_name,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'organization_name' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the organization_name parameter,In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The TA and SA metadata must contain the parameter organization_name,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-policy_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'policy_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the policy_uri parameter,In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The TA and SA metadata must contain the parameter policy_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,TA-Entity Configuration response TA-metadata-federation_fetch_endpoint,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_fetch_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the federation_fetch_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.federation_fetch_endpoint,The TA and SA metadata must contain the parameter federation_fetch_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response TA-metadata-federation_list_endpoint,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_list_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the federation_list_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.federation_list_endpoint,The TA and SA metadata must contain the parameter federation_list_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response TA-metadata-federation_resolve_endpoint,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_resolve_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the federation_resolve_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.federation_resolve_endpoint,The TA and SA metadata must contain the parameter federation_resolve_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response TA-metadata-federation_trust_mark_status_endpoint,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_trust_mark_status_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.federation_trust_mark_status_endpoint,The TA and SA metadata must contain the parameter federation_trust_mark_status_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response TA-metadata-homepage_uri,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'homepage_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the homepage_uri parameter,In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.homepage_uri,The TA and SA metadata must contain the parameter homepage_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.28,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response TA-metadata-logo_uri,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'logo_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the logo_uri parameter,In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The TA and SA metadata must contain the parameter logo_uri and it must be in SVG format,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro logo_uri +x,TA-Entity Configuration response TA-metadata-logo_uri-type,TA metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response TA,Does the TA metadata contain correct type logo_uri claim,In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file,TA,,"Entity Configuration response TA | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://.*\\.svg$""}},""required"":[""logo_uri""]}",The TA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,HTTP non HTTPS +x,TA-Entity Configuration response TA-metadata-organization_name,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'organization_name' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the organization_name parameter,In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The TA and SA metadata must contain the parameter organization_name,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro organization_name +x,TA-Entity Configuration response TA-metadata-policy_uri,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'policy_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the policy_uri parameter,In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The TA and SA metadata must contain the parameter policy_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro policy_uri +x,SA-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SA,,"Entity Configuration response SA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Configuration response-trust_marks,SA's entity configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'trust_marks' parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the entity configuration of the SA contain the trust marks,"The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.",SA,,Entity Configuration response | body | [^\r\n]* | payload | trust_marks,"The RP, OP or SA must include the trust marks in the entity configuration as a result of the onboarding process",SPID_CIE_OIDC#entity-configuration-leaves-and-intermediaries; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Configuration response-trust_marks-type,SA's entity configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'trust_marks' parameter is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the entity configuration of the SA contain a correct trust_marks parameter,"The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.",SA,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_marks"": {""type"": ""object"", ""additionalProperties"": {""type"": ""array""}}}, ""required"": [""trust_marks""]}","The RP, OP or SA must include the trust marks in the entity configuration as a result of the onboarding process",SPID_CIE_OIDC#entity-configuration-leaves-and-intermediaries; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,AA-Entity Configuration response AA-signature,Entity's Entity Configuration,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response AA,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",AA,,Entity Configuration response AA | body | [^\r\n]* | X_key_AA,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, x,AA-Entity Configuration response AA-sub-value,Entity's Entity Configuration,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response AA,Does entity configuration AA contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",AA,,Entity Configuration response AA | body | [^\r\n]* | payload | sub | X_key_AA,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response AA-metadata-logo_uri-type,AA metadata,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response AA,Does the AA metadata contain correct type logo_uri claim,In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file,AA,,"Entity Configuration response AA | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://.*\\.svg$""}},""required"":[""logo_uri""]}",The AA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response AA-metadata-resource-type,AA metadata,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the resource claim contains one or more https URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response AA,Does the AA metadata contain correct type resource claim,In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL,AA,,"Entity Configuration response AA | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"": ""object"",""properties"": {""resource"": {""oneOf"": [{""type"": ""string"", ""format"": ""uri"", ""pattern"": ""^https://""},{""type"": ""array"",""items"": {""type"": ""string"", ""format"": ""uri"", ""pattern"": ""^https://""},""minItems"": 1}]}},""required"": [""resource""]}",The AA Metadata of type 'federation_entity' MUST contain resource,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response AA-metadata-authorization_endpoint-value,AA metadata,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the authorization_endpoint claim contains ""private"", not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response AA,Does the AA metadata contain correct type authorization_endpoint claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is ""private""",AA,,"Entity Configuration response AA | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"": ""object"",""properties"": {""authorization_endpoint"": {""type"": ""string"",""const"": ""private""}},""required"": [""authorization_endpoint""]}",The AA Metadata of type 'federation_entity' MUST contain authorization_endpoint,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response AA-metadata-op_policy_uri,AA metadata,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the op_policy_uri claim is in the AA metadata, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response AA,Does the AA metadata contain op_policy_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked,AA,,Entity Configuration response AA | body | [^\n\r]* | payload | .metadata.openid_provider.op_policy_uri,The AA Metadata of type 'openid_provider' MUST contain op_policy_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response AA-metadata-op_policy_uri-type,AA metadata,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the op_policy_uri claim contains an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response AA,Does the AA metadata contain correct type op_policy_uri claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is ""private""",AA,,"Entity Configuration response AA | body | [^\n\r]* | payload | .metadata.openid_provider | {""type"": ""object"",""properties"": {""op_policy_uri"": {""type"": ""string"",""format"": ""uri""}},""required"": [""op_policy_uri""]}",The AA Metadata of type 'openid_provider' MUST contain op_policy_uri as URL,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, x,OP-Entity Configuration response OP-signature,Entity's Entity Configuration,Entity Configuration response OP,Trigger Entity Configuration response OP,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response OP,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",OP,,Entity Configuration response OP | body | [^\r\n]* | X_key_OP,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response OP-sub-value,Entity's Entity Configuration,Entity Configuration response OP,Trigger Entity Configuration response OP,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response OP,Does entity configuration OP contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",OP,,Entity Configuration response OP | body | [^\r\n]* | payload | sub | X_url_OP,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response RP-signature,Entity's Entity Configuration,Entity Configuration response RP,Trigger Entity Configuration response RP,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response RP,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",RP,,Entity Configuration response RP | body | [^\r\n]* | X_key_RP,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response RP-sub-value,Entity's Entity Configuration,Entity Configuration response RP,Trigger Entity Configuration response RP,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response RP,Does entity configuration RP contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",RP,,Entity Configuration response RP | body | [^\r\n]* | payload | sub | X_url_RP,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,SA-Entity Configuration response SA-signature,Entity's Entity Configuration,Entity Configuration response SA,Trigger Entity Configuration response SA,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response SA,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",SA,,Entity Configuration response SA | body | [^\r\n]* | X_key_SA,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Configuration response SA-sub-value,Entity's Entity Configuration,Entity Configuration response SA,Trigger Entity Configuration response SA,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response SA,Does entity configuration SA contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",SA,,Entity Configuration response SA | body | [^\r\n]* | payload | sub | X_url_SA,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response SA-metadata-logo_uri-type,SA metadata,Entity Configuration response SA,Trigger Entity Configuration response SA,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response SA,Does the TA metadata contain correct type logo_uri claim,In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file,SA,,"Entity Configuration response SA | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://.*\\.svg$""}},""required"":[""logo_uri""]}",The SA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,TA-Entity Configuration response TA-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response TA,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",TA,,"Entity Configuration response TA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,F,P,passed,[PRIMA] There is only: federation_entity x,TA-Entity Configuration response TA-constraints,TA's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the constraints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response TA,Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked",TA,,Entity Configuration response TA | body | [^\r\n]* | payload | constraints,TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Configuration response TA-constraints-value,TA's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the constraints parameter contains the max_path_length attribute, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length',"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length",TA,,Entity Configuration response TA | body | [^\r\n]* | payload | constraints.max_path_length,TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Configuration response TA-constraints-type,TA's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the constraints parameter is a JSON object, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response TA,Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object",TA,,"Entity Configuration response TA | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""constraints"": {""type"": ""object"", ""properties"": {""max_path_length"": {}}, ""required"": [""max_path_length""]}, ""required"": [""constraints""]}}",TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Configuration response TA-jwks,Federation Configuration (TA's Entity Configuration),Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA's Entity Configuration response contains the TA's public keys, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response TA,Does the Federation Configuration contain the TA public keys,"The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present",TA,,Entity Configuration response TA | body | [^\r\n]* | payload | jwks,"The Federation configuration contains the Trust Anchor public key for the signature operations, the maximum number of Intermediaries allowed between a Leaf and the Trust Anchor (max_path length) and the authorities who are enabled to issue the Trust Marks (trust_marks_issuers).",SPID_CIE_OIDC#Configuration-of-the-federation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/la_federazione_delle_identita.html#configurazione-della-federazione,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-contacts,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'contacts' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the contacts parameter,In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The TA and SA metadata must contain the parameter contacts,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-federation_fetch_endpoint,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_fetch_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the federation_fetch_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.federation_fetch_endpoint,The TA and SA metadata must contain the parameter federation_fetch_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-federation_list_endpoint,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_list_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the federation_list_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.federation_list_endpoint,The TA and SA metadata must contain the parameter federation_list_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-federation_resolve_endpoint,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_resolve_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the federation_resolve_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.federation_resolve_endpoint,The TA and SA metadata must contain the parameter federation_resolve_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-federation_trust_mark_status_endpoint,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_trust_mark_status_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.federation_trust_mark_status_endpoint,The TA and SA metadata must contain the parameter federation_trust_mark_status_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-homepage_uri,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'homepage_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the homepage_uri parameter,In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.homepage_uri,The TA and SA metadata must contain the parameter homepage_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.28,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-logo_uri,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'logo_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the logo_uri parameter,In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The TA and SA metadata must contain the parameter logo_uri and it must be in SVG format,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro logo_uri -x,TA-Entity Configuration response TA-metadata-organization_name,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'organization_name' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the organization_name parameter,In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The TA and SA metadata must contain the parameter organization_name,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro organization_name -x,TA-Entity Configuration response TA-metadata-policy_uri,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'policy_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the policy_uri parameter,In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The TA and SA metadata must contain the parameter policy_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro policy_uri +x,SA-Entity Configuration response-metadata-contacts,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'contacts' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the contacts parameter,In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The TA and SA metadata must contain the parameter contacts,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-federation_fetch_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_fetch_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_fetch_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_fetch_endpoint,The TA and SA metadata must contain the parameter federation_fetch_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-federation_list_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_list_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_list_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_list_endpoint,The TA and SA metadata must contain the parameter federation_list_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-federation_resolve_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_resolve_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_resolve_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_resolve_endpoint,The TA and SA metadata must contain the parameter federation_resolve_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-federation_trust_mark_status_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_trust_mark_status_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_trust_mark_status_endpoint,The TA and SA metadata must contain the parameter federation_trust_mark_status_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-homepage_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'homepage_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the homepage_uri parameter,In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.homepage_uri,The TA and SA metadata must contain the parameter homepage_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.28,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-logo_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'logo_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the logo_uri parameter,In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The TA and SA metadata must contain the parameter logo_uri and it must be in SVG format,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-organization_name,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'organization_name' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the organization_name parameter,In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The TA and SA metadata must contain the parameter organization_name,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-policy_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'policy_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the policy_uri parameter,In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The TA and SA metadata must contain the parameter policy_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,TA-Entity Configuration response TA-signature,Entity's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response TA,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",TA,,Entity Configuration response TA | body | [^\r\n]* | X_key_TA,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Signature non corretta x,TA-Entity Configuration response TA-sub-value,Entity's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response TA,Does entity configuration TA contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",TA,,Entity Configuration response TA | body | [^\r\n]* | payload | sub | X_url_TA,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Configuration response TA-trust_marks_issuers,TA's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the trust_marks_issuers parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response TA,Does TA's Entity configuration contain the trust_marks_issuers parameter,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked",TA,,Entity Configuration response TA | body | [^\r\n]* | payload | trust_mark_issuers,TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Configuration response TA-trust_marks_issuers-type,TA's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the trust_mark_issuers parameter is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response TA,Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.",TA,,"Entity Configuration response TA | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_mark_issuers"": {""type"": ""object"", ""additionalProperties"": {""type"": ""array""}}}, ""required"": [""trust_mark_issuers""]}",TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,SA-Entity Listing endpoint response-exposed,Entity Listing endpoint response,Entity Listing endpoint response,Trigger Entity Listing endpoint response,"Compliant if the Response contains a JSON list (array), not compliant otherwise",HTTP parameter type,Correct Input,Entity Listing endpoint response,Does the Entity expose the entity listing endpoint,"In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected",SA,,"Entity Listing response | body | [^\r\n]*.^\{(\s*""[^""]*""\s*:\s*(?:""[^""]*"",?|\[[^\r\n]*\],?|\{[^\r\n]*\},?)\s*)*\}$",This test simply checks if the entity exposes the /.well-known/openid-federation endpoint and if it,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,TA-Entity Listing endpoint response-exposed,Entity Listing endpoint response,Entity Listing endpoint response,Trigger Entity Listing endpoint response,"Compliant if the response contains a JSON list, not compliant otherwise",HTTP parameter type,Correct Input,Entity Listing endpoint response,Does the Entity expose the entity listing endpoint,"In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected",TA,,"Entity Listing response | body | \[\s*""[^""]*""(?:,\s*""[^""]*"")*\s*\]$",This test simply checks if the entity exposes the /.well-known/openid-federation endpoint and if it,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Entity Listing response +x,SA-Entity Statement response SA OP-trust_mark-sa_profile,Trust Mark generated for an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the sa_profile claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the issued intermediary Trust Mark contain the sa_profile claim,"A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sa_profile,"In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +o,SA-Entity Statement response SA OP-trust_mark-sa_profile-value,Trust Mark generated for an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the sa_profile claim is 'full' or 'light', not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the issued intermediary Trust Mark contain a correct sa_profile claim,"A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""sa_profile"": { ""type "": ย ""string "", ""enum "": [ ""full "", ย ""light ""]}}, ""required "": [ ""sa_profile ""]}","In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-fiscal_number-or-vat_number,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the fiscal_number or vat_number claim,nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim,"In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""fiscal_number"": {}, ""vat_number"":{}},""anyOf"":[{""required"":[""fiscal_number""]},{""required"":[""vat_number""]}]}},""required"":[""id_code""]}",The vat_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the fiscal_number claim. The fiscal_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the vat_number claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-id-value,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the id is present, has the structure /// and the entity_type and trustmark_profile parts of the URL have values among the allowed ones, not compliant otherwise",/ manual: check content,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain a correct id claim,"The id of the trust mark must have the structure ///. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked. If it is present, than the structure of the id must be as described above. The entity type can be one among 'openid_relying_party', 'openid_provider', 'intermediary' 'oauth_resource', whereas the trustmark profile can be 'public' or private'",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id | openid_relying_party | openid_provider | intermediate | oauth_resource,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,Da capire come individuare che solo l'entity type sia all'interno dei valori dati,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-ipa_code,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim,nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": { ""id_code"": { ""type"": ""object"", ""properties"": {""ipa_code"": {}},""required"": [""ipa_code""]}},""required"": [""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, @@ -314,8 +349,11 @@ x,SA-Entity Statement response SA OP-sub,Entity Statement issued by an SA,Entity x,SA-Entity Statement response SA OP-trust_mark-claims,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the claims claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain the claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | claims,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-claims-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the claims claim is present and its value is a list, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain a correct claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""claims"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""claims""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim and it is a list",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-email,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the email claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | email,The issued Trust Marks must have the email claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response SA OP-trust_mark-email-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the email claim is of type string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the correct type of email claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type "": ""object "", ""properties "": { ""email "": { ""type "": ""string "", ""format "": ""email "" } }, ""required "": [ ""email ""] } ",The issued Trust Marks must have the email claim as string,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-exp,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the exp claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the exp claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | exp,The issued Trust Marks must have the exp claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response SA OP-trust_mark-exp-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the exp claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the exp type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""exp"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""exp""]}",The issued Trust Marks must have the exp claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iat claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the iat claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iat,The issued Trust Marks must have the iat claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response SA OP-trust_mark-iat-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iat claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the correct iat type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""iat"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""iat""]}",The issued Trust Marks must have the iat claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-id,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the id claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the id claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-id_code,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the id_code claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id_code,The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-id_code-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the id_code claim is a JSON Object, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain correcty type of id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""id_code""]}",The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, @@ -324,11 +362,13 @@ x,SA-Entity Statement response SA OP-iss-value,Entity Statement issued by an SA, x,SA-Entity Statement response SA OP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the logo_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-logo_uri-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the logo_uri claim is value is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain correct type of logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""logo_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""logo_uri""]}",The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-organization_name,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the organization_name claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_name,The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response SA OP-trust_mark-organization_name-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the organization_name claim is type string and has value ""public"" or ""private"", not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the correct type of organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""organization_name "": { ""type "": ย ""string "", ""enum "": [ ""private "", ย ""public ""]}}, ""required "": [ ""organization_name ""]}",The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-organization_type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the organization_type claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_type,The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, o,SA-Entity Statement response SA OP-trust_mark-organization_type-value,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the organization_type claim contains 'public' or 'private', not compliant otherwise",nested JWT parameter values,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain correct value for organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | organization_type | [""public"", ""private""]",The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-policy_uri,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the policy_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain the policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | policy_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-policy_uri-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the policy_uri claim is present and its value is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain a correct policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""policy_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""policy_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-ref,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the ref claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | ref,The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response SA OP-trust_mark-ref-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the ref claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain an URL in the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""ref"": { ""type"": ""string"", ""format"": ""uri"" } }, ""required"": [""ref""] }",The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-service_documentation,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the service_documentation claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain the service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | service_documentation,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-service_documentation-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the service_documentation claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain a correct service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""service_documentation"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""service_documentation""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-signature,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the signature of the trust marks in the entity statement is valid, not compliant otherwise",nested JWT signature check,Correct Input,Entity Statement response SA OP,Does the SA correctly sign the Trust marks,"To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | X_key_SA,The Trust Marks (TM) are signed JWT,SPID_CIE_OIDC#Trust-Marks; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, @@ -340,6 +380,8 @@ x,SA-Entity Statement response SA OP-trust_mark-tos_uri-type,Trust Mark generate x,SA-Entity Statement response SA OP-trust_marks,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA OP,Does Entity Statements issued by the SA contain the trust_marks parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks,The trust_marks parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA OP-trust_mark-iss,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iss claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Statement response SA OP-trust_mark-iss-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iss claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain a correct iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""iss"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""iss""]}",The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response SA RP-trust_mark-sa_profile,Trust Mark generated for an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the sa_profile claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the issued intermediary Trust Mark contain the sa_profile claim,"A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sa_profile,"In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +o,SA-Entity Statement response SA RP-trust_mark-sa_profile-value,Trust Mark generated for an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the sa_profile claim is 'full' or 'light', not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the issued intermediary Trust Mark contain a correct sa_profile claim,"A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""sa_profile"": { ""type "": ย ""string "", ""enum "": [ ""full "", ย ""light ""]}}, ""required "": [ ""sa_profile ""]}","In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-fiscal_number-or-vat_number,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the fiscal_number or vat_number claim,nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim,"In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""fiscal_number"": {}, ""vat_number"":{}},""anyOf"":[{""required"":[""fiscal_number""]},{""required"":[""vat_number""]}]}},""required"":[""id_code""]}",The vat_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the fiscal_number claim. The fiscal_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the vat_number claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-id-value,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the id is present, has the structure /// and the entity_type and trustmark_profile parts of the URL have values among the allowed ones, not compliant otherwise",/ manual: check content,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain a correct id claim,"The id of the trust mark must have the structure ///. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked. If it is present, than the structure of the id must be as described above. The entity type can be one among 'openid_relying_party', 'openid_provider', 'intermediary' 'oauth_resource', whereas the trustmark profile can be 'public' or private'",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id | openid_relying_party | openid_provider | intermediate | oauth_resource,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,Da capire come individuare che solo l'entity type sia all'interno dei valori dati,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-ipa_code,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim,nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": { ""id_code"": { ""type"": ""object"", ""properties"": {""ipa_code"": {}},""required"": [""ipa_code""]}},""required"": [""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, @@ -357,8 +399,11 @@ x,SA-Entity Statement response SA RP-metadata_policy-jwks,Metadata policy in an ,SA-Entity Statement response SA RP-trust_mark-claims,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the claims claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain the claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | claims,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-claims-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the claims claim is present and its value is a list, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain a correct claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""claims"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""claims""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim and it is a list",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-email,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the email claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | email,The issued Trust Marks must have the email claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response SA RP-trust_mark-email-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the email claim is of type string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the correct type of the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type "": ""object "", ""properties "": { ""email "": { ""type "": ""string "", ""format "": ""email "" } }, ""required "": [ ""email ""] } ",The issued Trust Marks must have the email claim as string,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-exp,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the exp claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the exp claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | exp,The issued Trust Marks must have the exp claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response SA RP-trust_mark-exp-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the exp claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the exp type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""exp"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""exp""]}",The issued Trust Marks must have the exp claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iat claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the iat claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iat,The issued Trust Marks must have the iat claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response SA RP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iat type is in UNIX Timestamp in the trust mark payload, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the correct iat type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""iat"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""iat""]}",The issued Trust Marks must have the iat claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-id,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the id claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the id claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-id_code,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the id_code claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id_code,The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-id_code-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the id_code claim is a JSON Object, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain correcty type of id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""id_code""]}",The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, @@ -367,11 +412,13 @@ x,SA-Entity Statement response SA RP-metadata_policy-jwks,Metadata policy in an ,SA-Entity Statement response SA RP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the logo_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-logo_uri-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the logo_uri claim is value is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain correct type of logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""logo_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""logo_uri""]}",The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-organization_name,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the organization_name claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_name,The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response SA RP-trust_mark-organization_name-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the organization_name claim is type string and has value ""public"" or ""private"", not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the correct type of organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""organization_name "": { ""type "": ย ""string "", ""enum "": [ ""private "", ย ""public ""]}}, ""required "": [ ""organization_name ""]}",The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-organization_type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the organization_type claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_type,The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-organization_type-value,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the organization_type claim contains 'public' or 'private', not compliant otherwise",nested JWT parameter values,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain correct value for organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | organization_type | [""public"", ""private""]",The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-policy_uri,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the policy_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain the policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | policy_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-policy_uri-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the policy_uri claim is present and its value is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain a correct policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""policy_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""policy_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-ref,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the ref claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | ref,The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response SA RP-trust_mark-ref-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the ref claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain an URL in the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""ref"": { ""type"": ""string"", ""format"": ""uri"" } }, ""required"": [""ref""] }",The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-service_documentation,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the service_documentation claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain the service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | service_documentation,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-service_documentation-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the service_documentation claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain a correct service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""service_documentation"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""service_documentation""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, ,SA-Entity Statement response SA RP-trust_mark-signature,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the signature of the trust marks in the entity statement is valid, not compliant otherwise",nested JWT signature check,Correct Input,Entity Statement response SA RP,Does the SA correctly sign the Trust marks,"To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | X_key_SA,The Trust Marks (TM) are signed JWT,SPID_CIE_OIDC#Trust-Marks; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, @@ -393,7 +440,7 @@ x,TA-Entity Statement response TA OP-iat,Entity Statement issued by the TA,Entit x,TA-Entity Statement response TA OP-jwks,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA OP,Does Entity Statements issued by the TA contain the jwks parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | jwks,The jwks parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Statement response TA OP-metadata_policy,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the metadata_policy parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA OP,Does Entity Statements issued by the TA contain the metadata_policy parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy,The metadata_policy parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Statement response TA OP-metadata_policy-acr_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the acr_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.acr_values_supported | {""type"": ""object"", ""properties"": {""subset_of"":{}, ""superset_of"":{}},""required"":[""subset_of"", ""superset_of""]}",The acr_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-acr_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the acr_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.acr_values_supported.subset_of | [""https://www.spid.gov.it/SpidL1"", ""https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL3""]",The acr_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA OP-metadata_policy-acr_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the acr_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.acr_values_supported.subset_of | [""https://www.spid.gov.it/SpidL1"", ""https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL3""]",The acr_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-iss,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iss parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA OP,Does Entity Statement issued by the TA contain the iss parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | iss,The iss parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the authorization_response_iss_parameter_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.authorization_response_iss_parameter_supported,The authorization_response_iss_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims_parameter_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.claims_parameter_supported,The claims_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto @@ -405,12 +452,12 @@ x,TA-Entity Statement response TA OP-metadata_policy-client_registration_types_s x,TA-Entity Statement response TA OP-metadata_policy-code_challenge_methods_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the code_challenge_methods_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.code_challenge_methods_supported.subset_of,The code_challenge_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary x,TA-Entity Statement response TA OP-metadata_policy-code_challenge_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the code_challenge_methods_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['S256'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.code_challenge_methods_supported.subset_of | [""S256""]",The code_challenge_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-grant_types_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the grant_types_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.grant_types_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The grant_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-grant_types_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the grant_types_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['refresh_token', 'authorization_code'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.grant_types_supported.subset_of | [""refresh_token"", ""authorization_code""]",The grant_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA OP-metadata_policy-grant_types_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the grant_types_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['refresh_token', 'authorization_code'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.grant_types_supported.subset_of | [""refresh_token"", ""authorization_code""]",The grant_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_encryption_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The id_token_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary ,TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_enc_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_enc_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_encryption_enc_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The id_token_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_enc_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_enc_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of | [""A128CBC-HS256"", ""A256CBC-HS512""]",The id_token_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_enc_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_enc_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of | [""A128CBC-HS256"", ""A256CBC-HS512""]",The id_token_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-id_token_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_signing_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_signing_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The id_token_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,message type - validate | {head/body/url} | jwt_name | {header/payload} | param_path,,,,,,,TRUE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-id_token_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The id_token_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,message type - validate | {head/body/url} | jwt_name | {header/payload} | param_path | param_value1 | param_value2 | ...,,,,,,,TRUE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA OP-metadata_policy-id_token_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The id_token_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,message type - validate | {head/body/url} | jwt_name | {header/payload} | param_path | param_value1 | param_value2 | ...,,,,,,,TRUE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-incorrect-id_token_encryption_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of | [""RSA_1_5""]",The id_token_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-incorrect-id_token_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_signing_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The id_token_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-incorrect-request_authentication_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_signing_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not Compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The request_authentication_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto @@ -420,50 +467,55 @@ x,TA-Entity Statement response TA OP-metadata_policy-request_authentication_meth x,TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_methods_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.request_authentication_methods_supported.value,The request_authentication_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_methods_supported parameter is present in the openid_provider type and the key 'one_of' is valued with ['request_object'], not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_authentication_methods_supported | {""type"": ""object"", ""properties"": {""value"": {""const"": ""request_object""}}, ""required"": [""value""]}",The request_authentication_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-request_authentication_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_signing_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.request_authentication_signing_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The request_authentication_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-request_authentication_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of | [""RS256"", ""RS512""]",The request_authentication_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA OP-metadata_policy-request_authentication_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of | [""RS256"", ""RS512""]",The request_authentication_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto o,TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_parameter_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the request_parameter_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.request_parameter_supported,The request_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_parameter_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.request_parameter_supported.value,The request_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto ,TA-Entity Statement response TA OP-metadata_policy-request_object_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the request_object_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'superset_of' or 'subset_of',JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_parameter_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The request_object_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -,TA-Entity Statement response TA OP-metadata_policy-request_object_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the request_object_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'superset_of' or 'subset_of',JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_parameter_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]} [""RS256"", ""RS512""]",The request_object_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,,,,yes,"[""s1""]",E,Problema implementazione,F,,Clarifying docs,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +,TA-Entity Statement response TA OP-metadata_policy-request_object_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the request_object_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'superset_of' or 'subset_of',JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_parameter_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]} [""RS256"", ""RS512""]",The request_object_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,Clarifying docs,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_parameter_supported parameter is present in the openid_provider type and contains the value 'one_of': ['true'], not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_parameter_supported | {""type"": ""object"", ""properties"": {""value"": {""const"": true}}, ""required"": [""value""]}",The request_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-response_modes_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_modes_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.response_modes_supported | {""type"": ""object"", ""properties"": {""subset_of"":{}, ""superset_of"":{}}, ""required"": [""subset_of"", ""superset_of""]}",The response_modes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-response_modes_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_modes_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['form_post', 'query'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.response_modes_supported.subset_of | [""form_post"", ""query""]",The response_modes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA OP-metadata_policy-response_modes_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_modes_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['form_post', 'query'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.response_modes_supported.subset_of | [""form_post"", ""query""]",The response_modes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-response_types_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_types_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.response_types_supported.subset_of,The response_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary x,TA-Entity Statement response TA OP-metadata_policy-response_types_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_types_supported parameter is present in the openid_provider type and contains the value 'one_of': ['code'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.response_types_supported.subset_of | [""code""]",The response_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-revocation_endpoint_auth_methods_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the revocation_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of,The revocation_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary x,TA-Entity Statement response TA OP-metadata_policy-revocation_endpoint_auth_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the revocation_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the value 'one_of': ['private_key_jwt'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of | [""private_key_jwt""]",The revocation_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-scopes_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the scopes_supported parameter is present in the openid_provider typeand contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.scopes_supported | {""type"": ""object"", ""properties"": {""subset_of"":{}, ""superset_of"":{}}, ""required"": [""subset_of"", ""superset_of""]}",The scopes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-scopes_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the scopes_supported parameter is present in the openid_provider typeand contains the value 'subset_of': ['openid', 'offline_access', 'profile', 'email'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.scopes_supported.subset_of | [""openid"", ""offline_access"", ""profile"", ""email""]",The scopes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA OP-metadata_policy-scopes_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the scopes_supported parameter is present in the openid_provider typeand contains the value 'subset_of': ['openid', 'offline_access', 'profile', 'email'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.scopes_supported.subset_of | [""openid"", ""offline_access"", ""profile"", ""email""]",The scopes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-subject_types_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the subject_types_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.subject_types_supported.subset_of,The subject_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary x,TA-Entity Statement response TA OP-metadata_policy-subject_types_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the subject_types_supported parameter is present in the openid_provider type and contains the value 'one_of': ['pairwise'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.subject_types_supported.subset_of | [""pairwise""]",The subject_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_methods_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of,The token_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the value 'one_of': ['private_key_jwt'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of | [""private_key_jwt""]",The token_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the value 'one_of': ['private_key_jwt'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of | [""private_key_jwt""]",The token_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_signing_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The token_endpoint_auth_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary x,TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-not-supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_signing_alg_values_supported parameter is present in the openid_provider type and not contains the values ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The token_endpoint_auth_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The token_endpoint_auth_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The token_endpoint_auth_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_alg_values_supported parameter is presentin the openid_provider type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.userinfo_encryption_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The userinfo_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_alg_values_supported parameter is presentin the openid_provider type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The userinfo_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_alg_values_supported parameter is presentin the openid_provider type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The userinfo_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_enc_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_enc_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.userinfo_encryption_enc_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The userinfo_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_enc_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_enc_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of | [""A128CBC-HS256"", ""A256CBC-HS512""]",The userinfo_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_enc_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_enc_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of | [""A128CBC-HS256"", ""A256CBC-HS512""]",The userinfo_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-metadata_policy-userinfo_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_signing_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant if is missing or empty",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.userinfo_signing_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The userinfo_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-userinfo_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The userinfo_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA OP-metadata_policy-userinfo_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The userinfo_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA OP-release,TA's fetch Entity Statement Endpoint response regarding the Entity we are considering,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the TA's return the Entity Statement regarding the Entity we are considering, not compliant otherwise",HTTP parameter type,Correct Input,Entity Statement response TA OP,Does the TA correctly release the Entity statements,"After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.",TA,,Entity Statement response TA OP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),The Federation Authority or an Intermediary MUST publish the Leaf Entity Statement containing the Federation public keys of the onboarded Entity and the TMs released for it.,SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Statement response TA OP-sub,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the sub parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA OP,Does Entity Statements issued by the TA contain the sub parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | sub,The sub parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Statement response TA OP-trust_mark-claims,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain the claims claim,"In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | claims,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro claim o,TA-Entity Statement response TA OP-trust_mark-claims-type,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims claim is a list of JSON Objects, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain a correct claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""claims"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""claims""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro claims x,TA-Entity Statement response TA OP-trust_mark-email,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the email claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | email,The issued Trust Marks must have the email claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro email +,TA-Entity Statement response TA OP-trust_mark-email-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the email claim is of type string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the correct type of the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"":""object"",""properties"":{""email"":{""type"":""string"",""format"":""email""}},""required "":[""email""]}",The issued Trust Marks must have the email claim as string,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No email x,TA-Entity Statement response TA OP-trust_mark-exp,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the exp claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the exp claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | exp,The issued Trust Marks must have the exp claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro exp +x,TA-Entity Statement response TA OP-trust_mark-exp-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the exp claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the exp type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""exp"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""exp""]}",The issued Trust Marks must have the exp claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No exp x,TA-Entity Statement response TA OP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iat claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the iat claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iat,The issued Trust Marks must have the iat claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response TA OP-trust_mark-iat-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iat type is in UNIX Timestamp in the trust mark payload, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the correct iat type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""iat"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""iat""]}",The issued Trust Marks must have the iat claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, x,TA-Entity Statement response TA OP-trust_mark-id,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the id claim,"The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the authorization_response_iss_parameter_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value,The authorization_response_iss_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -x,TA-Entity Statement response TA OP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the logo_uri claim is present in the trust_mark JWT in the trust_marks parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro metadata +x,TA-Entity Statement response TA OP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the logo_uri claim is present in the trust_mark JWT in the trust_marks parameter, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro logo_uri x,TA-Entity Statement response TA OP-trust_mark-logo_uri-value,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the logo_uri parameter in the trust mark in the trust marks parameter of the response is an URI, not compliant otherwise ",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain a correct logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""logo_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""logo_uri""]}",The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro logo_uri x,TA-Entity Statement response TA OP-trust_mark-organization_name,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the organization_name claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_name,The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro organization_name +x,TA-Entity Statement response TA OP-trust_mark-organization_name-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the organization_name claim is type string and has value ""public"" or ""private"", not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the correct type of organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""organization_name "": { ""type "": ย ""string "", ""enum "": [ ""private "", ย ""public ""]}}, ""required "": [ ""organization_name ""]}",The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No organization_name x,TA-Entity Statement response TA OP-trust_mark-organization_type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the organization_type claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_type,The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro organization_type o,TA-Entity Statement response TA OP-trust_mark-organization_type-value,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the organization_type claim is 'public' or 'private', not compliant otherwise",JWT list values,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain a correct organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark.organization_type | [""public"", ""private""]",The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro organization_type x,TA-Entity Statement response TA OP-trust_mark-policy_uri,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the policy_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain the policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | policy_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro policy_uri o,TA-Entity Statement response TA OP-trust_mark-policy_uri-type,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the policy_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain a correct policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""policy_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""policy_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro policy_uri x,TA-Entity Statement response TA OP-trust_mark-ref,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the ref claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | ref,The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response TA OP-trust_mark-ref-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the ref claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain an URL in the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""ref"": { ""type"": ""string"", ""format"": ""uri"" } }, ""required"": [""ref""] }",The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, o,TA-Entity Statement response TA OP-trust_mark-sa_profile-value,Trust Mark generated for an SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the sa_profile claim is 'full' or 'light', not compliant otherwise",nested JWT parameter values,Correct Input,Entity Statement response TA OP,Does the issued intermediary Trust Mark contain a correct sa_profile claim,"A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | sa_profile | [""light"", ""full""]","In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro sa_profile x,TA-Entity Statement response TA OP-trust_mark-service_documentation,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the service_documentation claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain the service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | service_documentation,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro service_documentation o,TA-Entity Statement response TA OP-trust_mark-service_documentation-type,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the service_documentation claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain a correct service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""service_documentation"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""service_documentation""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro service_documentation @@ -490,45 +542,50 @@ x,TA-Entity Statement response TA OP-trust_mark-iss-value,Trust Mark generated f ,TA-Entity Statement response TA RP-iat,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iat parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does Entity Statements issued by the TA contain the iat parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | iat,The iat parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, ,TA-Entity Statement response TA RP-jwks,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does Entity Statements issued by the TA contain the jwks parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | jwks,The jwks parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, ,TA-Entity Statement response TA RP-metadata_policy,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the metadata_policy parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does Entity Statements issued by the TA contain the metadata_policy parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy,The metadata_policy parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA RP-metadata_policy-client_registration_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the client_registration_types parameter is present in the openid_relying_party type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.client_registration_types.subset_of,The client_registration_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro client_registration_types -x,TA-Entity Statement response TA RP-metadata_policy-client_registration_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the client_registration_types parameter is present in the openid_relying_party type and contains the value 'one_of': ['automatic'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.client_registration_types.subset_of | [""automatic""]",The client_registration_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA RP-metadata_policy-client_registration_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the client_registration_types parameter is present in the openid_relying_party type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.client_registration_types.subset_of,The client_registration_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro client_registration_types +x,TA-Entity Statement response TA RP-metadata_policy-client_registration_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the client_registration_types parameter is present in the openid_relying_party type and contains the value 'one_of': ['automatic'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.client_registration_types.subset_of | [""automatic""]",The client_registration_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA RP-metadata_policy-grant_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the grant_types parameter inside the openid_relying_party type is present and it contains the value 'subset_of: [authorization_code, refresh_token]', not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct grant_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.grant_types.subset_of | [""authorization_code"", ""refresh_token""]",The grant_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of,The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro id_token_encrypted_response_alg +x,TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of,The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro id_token_encrypted_response_alg ,TA-Entity Statement response TA RP-metadata_policy-response_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the response_types parameter is present in the openid_relying_party type and contains the key 'value', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct response_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.response_types.value,The response_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca response_types ,TA-Entity Statement response TA RP-metadata_policy-response_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the response_types parameter is present in the openid_relying_party type and contains the key 'value', not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct response_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.response_types.value | [""code""]",The response_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca response_types -x,TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_enc-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_enc parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of,The id_token_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro id_token_encrypted_response_enc -x,TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_enc-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_enc parameter is present in the openid_relying_party type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of | [""A128CBC-HS256"" , ""A256CBC-HS512""]",The id_token_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA RP-metadata_policy-id_token_signed_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_signed_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of,The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro id_token_signed_response_alg -x,TA-Entity Statement response TA RP-metadata_policy-id_token_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_signed_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of | [""RS256"" , ""RS512""]",The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_enc-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_enc parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of,The id_token_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro id_token_encrypted_response_enc +x,TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_enc-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_enc parameter is present in the openid_relying_party type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of | [""A128CBC-HS256"" , ""A256CBC-HS512""]",The id_token_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA RP-metadata_policy-id_token_signed_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_signed_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of,The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro id_token_signed_response_alg +x,TA-Entity Statement response TA RP-metadata_policy-id_token_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_signed_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of | [""RS256"" , ""RS512""]",The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto x,TA-Entity Statement response TA RP-metadata_policy-incorrect-id_token_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_alg parameter is present in the openid_relying_party type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant if present",JWT list parameter does not contain,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of | [""RSA_1_5""]",The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. x,TA-Entity Statement response TA RP-metadata_policy-incorrect-id_token_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the value of id_token_signed_response_alg parameter is present in the openid_relying_party type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not compliant if present",JWT list parameter does not contain,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. x,TA-Entity Statement response TA RP-metadata_policy-incorrect-userinfo_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_alg parameter is present in the openid_relying_party type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of | [""RSA_1_5""]",The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. x,TA-Entity Statement response TA RP-metadata_policy-incorrect-userinfo_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_signed_response_alg parameter is present in the openid_relying_party type and the key 'subset_of' does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. -x,TA-Entity Statement response TA RP-metadata_policy-token_endpoint_auth_method-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the token_endpoint_auth_method parameter is present in the openid_relying_party type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of,The token_endpoint_auth_method claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro token_endpoint_auth_method -x,TA-Entity Statement response TA RP-metadata_policy-token_endpoint_auth_method-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the token_endpoint_auth_method parameter is present in the openid_relying_party type and contains the value 'one_of': ['private_key'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of | [""private_key""]",The token_endpoint_auth_method claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of,The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro userinfo_encrypted_response_alg -x,TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -o,TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_enc-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_enc parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of,The userinfo_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro userinfo_encrypted_response_enc -o,TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_enc-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_enc parameter is present in the openid_relying_party type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of | [""A128CBC-HS256"" , ""A256CBC-HS512""]",The userinfo_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA RP-metadata_policy-userinfo_signed_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_signed_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of,The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro userinfo_signed_response_alg -x,TA-Entity Statement response TA RP-metadata_policy-userinfo_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_signed_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of | [""RS256"", ""RS512""]",The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA RP-metadata_policy-token_endpoint_auth_method-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the token_endpoint_auth_method parameter is present in the openid_relying_party type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of,The token_endpoint_auth_method claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro token_endpoint_auth_method +x,TA-Entity Statement response TA RP-metadata_policy-token_endpoint_auth_method-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the token_endpoint_auth_method parameter is present in the openid_relying_party type and contains the value 'one_of': ['private_key'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of | [""private_key""]",The token_endpoint_auth_method claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of,The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro userinfo_encrypted_response_alg +x,TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +o,TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_enc-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_enc parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of,The userinfo_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro userinfo_encrypted_response_enc +o,TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_enc-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_enc parameter is present in the openid_relying_party type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of | [""A128CBC-HS256"" , ""A256CBC-HS512""]",The userinfo_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response TA RP-metadata_policy-userinfo_signed_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_signed_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of,The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro userinfo_signed_response_alg +x,TA-Entity Statement response TA RP-metadata_policy-userinfo_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_signed_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of | [""RS256"", ""RS512""]",The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto ,TA-Entity Statement response TA RP-release,TA's fetch Entity Statement Endpoint response regarding the Entity we are considering,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the TA's return the Entity Statement regarding the Entity we are considering, not compliant otherwise",HTTP parameter type,Correct Input,Entity Statement response TA RP,Does the TA correctly release the Entity statements,"After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.",TA,,Entity Statement response TA RP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),The Federation Authority or an Intermediary MUST publish the Leaf Entity Statement containing the Federation public keys of the onboarded Entity and the TMs released for it.,SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, ,TA-Entity Statement response TA RP-sub,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the sub parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does Entity Statements issued by the TA contain the sub parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | sub,The sub parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, ,TA-Entity Statement response TA RP-trust_mark-claims,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the claims claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain the claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | claims,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro claims ,TA-Entity Statement response TA RP-trust_mark-claims-type,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the claims claim is a list of JSON Objects, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain a correct claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""claims"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""claims""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro claims ,TA-Entity Statement response TA RP-trust_mark-email,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the email claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | email,The issued Trust Marks must have the email claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro email +,TA-Entity Statement response TA RP-trust_mark-email-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the email claim is of type string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the correct type of the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ""object "", ""properties "": { ""email "": { ""type "": ""string "", ""format "": ""email "" } }, ""required "": [ ""email ""] } ",The issued Trust Marks must have the email claim as string,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No email ,TA-Entity Statement response TA RP-trust_mark-exp,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the exp claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the exp claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | exp,The issued Trust Marks must have the exp claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro exp +x,TA-Entity Statement response TA RP-trust_mark-exp-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the exp claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the exp type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""exp"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""exp""]}",The issued Trust Marks must have the exp claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No exp +,TA-Entity Statement response TA RP-trust_mark-iat-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iat type is in UNIX Timestamp in the trust mark payload, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the correct iat type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""iat"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""iat""]}",The issued Trust Marks must have the iat claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, ,TA-Entity Statement response TA RP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iat claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the iat claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iat,The issued Trust Marks must have the iat claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, ,TA-Entity Statement response TA RP-trust_mark-id,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the id claim,"The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the logo_uri claim is present in the trust_mark JWT in the trust_marks parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,,failed,"Manca parametro metadata, c'รจ metadata_policy" +,TA-Entity Statement response TA RP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the logo_uri claim is present in the trust_mark JWT in the trust_marks parameter, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro logo_uri ,TA-Entity Statement response TA RP-trust_mark-logo_uri-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the logo_uri parameter in the trust mark in the trust marks parameter of the response is an URI, not compliant otherwise ",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain a correct logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""logo_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""logo_uri""]}",The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro logo_uri ,TA-Entity Statement response TA RP-trust_mark-organization_name,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the organization_name claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_name,The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro organization_name +x,TA-Entity Statement response TA RP-trust_mark-organization_name-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the organization_name claim is type string and has value ""public"" or ""private"", not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the correct type of organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""organization_name "": { ""type "": ย ""string "", ""enum "": [ ""private "", ย ""public ""]}}, ""required "": [ ""organization_name ""]}",The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No organization_name ,TA-Entity Statement response TA RP-trust_mark-organization_type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the organization_type claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_type,The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro organization_type ,TA-Entity Statement response TA RP-trust_mark-organization_type-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the organization_type claim is 'public' or 'private', not compliant otherwise",JWT list values,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain a correct organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | organization_type | [""public"", ""private""]",The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro organization_type ,TA-Entity Statement response TA RP-trust_mark-policy_uri,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the policy_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain the policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | policy_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro policy_uri ,TA-Entity Statement response TA RP-trust_mark-policy_uri-type,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the policy_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain a correct policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""policy_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""policy_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro policy_uri ,TA-Entity Statement response TA RP-trust_mark-ref,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the ref claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | ref,The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response TA RP-trust_mark-ref-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the ref claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain an URL in the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""ref"": { ""type"": ""string"", ""format"": ""uri"" } }, ""required"": [""ref""] }",The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, ,TA-Entity Statement response TA RP-trust_mark-sa_profile-value,Trust Mark generated for an SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the sa_profile claim is 'full' or 'light', not compliant otherwise",nested JWT parameter values,Correct Input,Entity Statement response TA RP,Does the issued intermediary Trust Mark contain a correct sa_profile claim,"A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | sa_profile | [""light"", ""full""]","In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro sa_profile ,TA-Entity Statement response TA RP-trust_mark-service_documentation,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the service_documentation claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain the service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | service_documentation,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro service_documentation ,TA-Entity Statement response TA RP-trust_mark-service_documentation-type,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the service_documentation claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain a correct service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""service_documentation"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""service_documentation""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro service_documentation @@ -574,7 +631,7 @@ x,TA-Entity Statement response TA SA-metadata_policy-userinfo_signed_response_al x,TA-Entity Statement response TA SA-metadata_policy-userinfo_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_signed_response_alg parameter is present in the intermediary type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signed_response_alg.one_of | [""RS256"", ""RS512""]",The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA x,SA-Fetch Entity Statement response SA RP-exposed,Fetch Entity Statement Endpoint endpoint response,Fetch Entity Statement response SA RP,Trigger Fetch Entity Statement response SA RP,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Fetch Entity Statement response SA RP,Does the Entity expose the fetch entity statement endpoint,"In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.",SA,,Fetch Entity Statement response SA RP | body | [^\r\n]*.^([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the fetch entity statement endpoint. It returns the ESs regarding a direct subordinate subject. For obtaining the ES of an Entity, at least its Entity identifier is needed",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,TA-Fetch Entity Statement response TA OP-exposed,Fetch Entity Statement Endpoint endpoint response,Fetch Entity Statement response TA OP,Trigger Fetch Entity Statement response TA OP,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Fetch Entity Statement response TA OP,Does the Entity expose the fetch entity statement endpoint,"In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.",TA,,Fetch Entity Statement response TA OP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the fetch entity statement endpoint. It returns the ESs regarding a direct subordinate subject. For obtaining the ES of an Entity, at least its Entity identifier is needed",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Fetch Entity Statement response TA OP -,TA-Fetch Entity Statement response TA RP-exposed,Fetch Entity Statement Endpoint endpoint response,Fetch Entity Statement response TA RP,Trigger Fetch Entity Statement response TA RP,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Fetch Entity Statement response TA RP,Does the Entity expose the fetch entity statement endpoint,"In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.",TA,,Fetch Entity Statement response TA RP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the fetch entity statement endpoint. It returns the ESs regarding a direct subordinate subject. For obtaining the ES of an Entity, at least its Entity identifier is needed",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,,not_applicable,Fetch Entity Statement response TA RP +,TA-Fetch Entity Statement response TA RP-exposed,Fetch Entity Statement Endpoint endpoint response,Fetch Entity Statement response TA RP,Trigger Fetch Entity Statement response TA RP,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Fetch Entity Statement response TA RP,Does the Entity expose the fetch entity statement endpoint,"In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.",TA,,Fetch Entity Statement response TA RP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the fetch entity statement endpoint. It returns the ESs regarding a direct subordinate subject. For obtaining the ES of an Entity, at least its Entity identifier is needed",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Fetch Entity Statement response TA RP x,RP-Introspection request-client_assertion,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_assertion parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request contain the client_assertion,The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.,RP,,Introspection request | body | client_assertion,The request to the Introspection Endpoint must contain the client_assertion parameter and it has to be a JWT signed with the RP's private key,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, x,RP-Introspection request-client_assertion_type,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_assertion_type parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request contain the client_assertion_type,The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.,RP,,Introspection request | body | client_assertion_type,The request to the Introspection Endpoint must contain the client_assertion_type parameter and it has to be set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, x,RP-Introspection request-client_assertion_type-type,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_assertion_type parameter in the request is urn:ietf:params:oauth:clientassertion-type:jwt-bearer, not compliant otherwise",HTTP parameter value,Correct Input,Introspection request,Does the Introspection Request contain correct type of client_assertion_type,The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer,RP,,Introspection request | body | client_assertion_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer,The request to the Introspection Endpoint must contain the client_assertion_type parameter and it has to be set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, @@ -607,7 +664,7 @@ x,OP-Introspection response-token-active-presence,Introspection Response to a Re x,OP-Introspection response-token-active-value,Introspection Response to a Request with a valid token,Introspection Response to a Request with a valid token,Introspection request with valid token in the token parameter,"Compliant if the Introspection Response is a JSON Object with only an 'active' parameter set to true, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection response,Does the Introspection Endpoint returns true on active tokens,"To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed",OP,,"Introspection response | body | ""active"": true","If the token is expired, it has been revoked or it has never been issued for the calling client_id, the Introspection Endpoint must return false. Otherwise it returns true",SPID_CIE_OIDC#Introspection-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#response,OIDC Core,Active,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, x,OP-Introspection response-token-expired,Introspection Request with an expired token,Introspection Request with an expired token,Introspection Request with an expired token,"Compliant if the Introspection Response's body is a JSON Object with only an 'active' parameter set to false, not compliant otherwise",/ manual: check flow,Correct Input,Introspection response,Does the Introspection Endpoint returns false on expired tokens,"To test that the Introspection response of the OP's correctly identifies expired tokens, an expired one is sent and the response is analyzed",OP,,,"If the token is expired, it has been revoked or it has never been issued for the calling client_id, the Introspection Endpoint must return false. Otherwise it returns true",SPID_CIE_OIDC#Introspection-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#response,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 500 x,OP-Introspection response-token-wrong-RP,Introspection Request with a token issued for another client,Introspection response to a request with a token issued for another client,Introspection Request with a token that does not belong to the RP making the request,"Compliant if the Introspection Response is a JSON Object with only an 'active' parameter set to false, not compliant otherwise",/ manual: check flow,Wrong Input,Introspection response,Does the Introspection Endpoint returns false on tokens that do not belong to the RP,"To test that the Introspection response of the OP's correctly identifies tokens that do not belong to the RP making the request, a token issued for another RP is sent by a different RP and the response is analyzed",OP,,,"If the token is expired, it has been revoked or it has never been issued for the calling client_id, the Introspection Endpoint must return false. Otherwise it returns true",SPID_CIE_OIDC#Introspection-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#response,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 -x,TA-Public Keys History response-published,TA's public keys history response,TA's public keys history response,Trigger Public Keys History response,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Public Keys History response,Does the TA publish the federation public key history,An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed,TA,,"Public Keys History response | body | \[\s*""[^""]*""(?:,\s*""[^""]*"")*\s*\]$","In order to enable the verification of messages exchanged by Entities participating in the federation and their Trust Chains, the TA MUST publish the federation public key history (JWKS) within a registry made available to all participants via the /.well-known/openid-federation-jwks endpoint.",SPID_CIE_OIDC#Retention-Policy; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/log_management.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,,not_applicable,Public Keys History response +x,TA-Public Keys History response-published,TA's public keys history response,TA's public keys history response,Trigger Public Keys History response,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Public Keys History response,Does the TA publish the federation public key history,An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed,TA,,"Public Keys History response | body | \[\s*""[^""]*""(?:,\s*""[^""]*"")*\s*\]$","In order to enable the verification of messages exchanged by Entities participating in the federation and their Trust Chains, the TA MUST publish the federation public key history (JWKS) within a registry made available to all participants via the /.well-known/openid-federation-jwks endpoint.",SPID_CIE_OIDC#Retention-Policy; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/log_management.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Public Keys History response x,ALL-Resolve Entity Statement endpoint response-exposed,Resolve Entity Statement endpoint response,Resolve Entity Statement endpoint response,Trigger Resolve Entity Statement endpoint response,"Compliant if the Response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Resolve Entity Statement endpoint response,Does the Entity expose the resolve entity statement endpoint,"In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.",ALL,,"Resolve Entity Statement response | body | [\s*""[^""]*""(?:,\s*""[^""]*"")*\s*\]$","All the Entities MUST contain the resolve entity statement endpoint. It gives the final Metadata, the Trust Chain and the Trust Marks regarding another subject.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Resolve Entity Statement response o,OP-Revocation request-assertion-signature,Revocation Request's client assertion with a wrong signature of the JWT,Revocation request,Revocation Request with a client assertion in the body with a wrong signature,"Compliant if the Revocation response is an HTTP 400 because of invalid_request, not compliant otherwise",Signature JWT Response,Wrong Input,Revocation request,Does the OP verify the signature of the client assertion in the Revocation request,"Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.",OP,Revocation request | body | (?<=client_assertion=)([^&]+) | X_wrong_key,Revocation response | head | 400 | body | invalid_request,"The OP must test the validity of all the fields that are present in the JWT contained in the client assertion, plus the validity of its signature, with respect to the parameter client_id",SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Revocation request-token-absence,Revocation Request without token,Revocation request,Trigger Revocation Request without token,"Compliant if the Revocation response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Revocation request,Does the OP verify the presence of token in the Revocation request,"Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.",OP,Revocation request | body | (?<=token=)([^&]+) | ,Revocation response | head | 400 | body | invalid_request,The OP must test the validity of all the fields that are present in the revocation request,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, @@ -905,17 +962,17 @@ x,OP-Token response-wrong-assertion-iss,Token response,Token response,Token requ o,OP-Token response-error_description-if_error_grant_type,Successful error Token response,Token response,Trigger error Token response,"Compliant if the error token response has error_description parameter, not Compliant otherwise",/ manual: check type,Correct Input,Token response,Does the error token response have error_description parameter,This test verifies the presence of error_description parameter in the error token response.,OP,,,The error Token response must have error_description parameter,SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-error-value,Token Error response,Token response,Trigger Token response,"Compliant if the Token Response has the error parameter and it is set to a value among 'invalid_request', 'invalid_client', 'unsupported_grant_type', 'invalid_grant', 'server_error', or 'temporarily_unavailable'. Not Compliant otherwise",/ manual: wrong parameter,Correct Input,Token response,Does the Token error response contain a correct error parameter,"The Token error response is analyzed and the the error parameter in it is checked. It must have a value among 'invalid_request', 'invalid_client', 'unsupported_grant_type', 'invalid_grant', 'server_error', or 'temporarily_unavailable'",OP,,"Token response | body | error | [""invalid_request"", ""invalid_client"", ""unsupported_grant_type"", ""invalid_grant"", ""server_error"", ""temporarily_unavailable""]","If the Token Request (both ID Token and Refresh Token) is invalid or unauthorized, the OP constructs the error response. This response needs to have the error parameter with the error code ('invalid_request' or 'unauthorized_client')",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,M,Presence of wrong parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-wrong-assertion-jti,Token response to a request with a client assertion with a jti already used,Token response to a request with a client assertion with a jti already used,Token request with a client assertion with a jti already used in the life time of the JWT (JWT replay),"Compliant if the Token Response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Token response,Does the token response to a token request made with a client_assertion parameter containing an already used jti in the JWT return a Token Error response,In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the jti has already been used.,OP,,Token response | head | 400 | Token response | body | invalid_request,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the jti claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,no,"[""s1-revoked"", ""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 -x,SA-Trust Mark status response SA-exposed-RP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response SA,HTTP 200 OK response containing the claim 'active' set to true,/ manual: TM check content,Correct Input,Trust Mark status response SA,Does the SA Trust Mark Status endpoint effectively verify valid Trust Marks of RP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the RP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",SA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Trust Mark status response SA-exposed-OP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response SA,HTTP 200 OK response containing the claim 'active' set to true,/ manual: TM check content,Correct Input,Trust Mark status response SA,Does the SA Trust Mark Status endpoint effectively verify valid Trust Marks of OP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the OP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",SA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Trust Mark status response SA RP-exposed-RP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response SA RP,HTTP 200 OK response containing the claim 'active' set to true,/ manual: TM check content,Correct Input,Trust Mark status response SA RP,Does the SA Trust Mark Status endpoint effectively verify valid Trust Marks of RP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the RP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",SA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Trust Mark status response SA OP-exposed-OP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response SA OP,HTTP 200 OK response containing the claim 'active' set to true,/ manual: TM check content,Correct Input,Trust Mark status response SA OP,Does the SA Trust Mark Status endpoint effectively verify valid Trust Marks of OP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the OP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",SA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, o,SA-Trust Mark status response SA-revocated-trust_mark,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status endpoint request with invalidated Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response SA,Does the SA invalidate revocated trust marks,"In order to check if a SA correctly invalidate a Trust Mark, a Trust Mark revocation request on a Trust Mark has to be made and then the trust mark status endpoint must be fetched. If the response says that the trust mark is invalid, than it is correctly invalidated, otherwise the SA is not compliant with the specification",SA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Trust Mark status response SA-not_valid-trust_mark-RP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response SA,Does the SA's trust mark status endpoint correctly refuses a not-valid id Trust Marks RP,"In order to check if the trust mark status endpoint of a SA correctly refuses invalid trust marks RP, a invalid trust mark can be sent to the endpoint and the response analyzed",SA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Trust Mark status response SA-not_valid-trust_mark-OP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response SA,Does the SA's trust mark status endpoint correctly refuses a not-valid id Trust Marks OP,"In order to check if the trust mark status endpoint of a SA correctly refuses invalid trust marks OP, a invalid trust mark can be sent to the endpoint and the response analyzed",SA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Trust Mark status response SA RP-not_valid-trust_mark-RP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response SA RP,Does the SA's trust mark status endpoint correctly refuses a not-valid id Trust Marks RP,"In order to check if the trust mark status endpoint of a SA correctly refuses invalid trust marks RP, a invalid trust mark can be sent to the endpoint and the response analyzed",SA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Trust Mark status response SA OP-not_valid-trust_mark-OP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response SA OP,Does the SA's trust mark status endpoint correctly refuses a not-valid id Trust Marks OP,"In order to check if the trust mark status endpoint of a SA correctly refuses invalid trust marks OP, a invalid trust mark can be sent to the endpoint and the response analyzed",SA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Trust Mark status response SA-different-entity-trust_mark,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status invalid request,"Compliant if the Trust Mark status response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response SA,Does the SA checks Trust Marks not issued by the Entity,"In this test, a valid Trust Mark issued by another entity is sent to an SA. If it validates the Trust Mark, than is not compliant with the specifications",SA,,,trust mark status endpoint: allows an Entity to test if a TM is still active or not. The request MUST be sent to the subject that has released that TM.,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,TA-Trust Mark status response TA-exposed-RP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response TA,HTTP 200 OK response containing the claim 'active' set to true,/ manual: check flow,Correct Input,Trust Mark status response TA,Does the TA Trust Mark Status endpoint effectively verify valid Trust Marks of RP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the RP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",TA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,,P,P,passed, -x,TA-Trust Mark status response TA-exposed-OP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response TA,HTTP 200 OK response containing the claim 'active' set to true,/ manual: status code,Correct Input,Trust Mark status response TA,Does the TA Trust Mark Status endpoint effectively verify valid Trust Marks of OP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the OP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",TA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,L,Return wrong status code,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Problema implementazione,F,F,failed,[SAME] Manca trust_mark in OP in EC +x,TA-Trust Mark status response TA RP-exposed-RP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response TA RP,HTTP 200 OK response containing the claim 'active' set to true,/ manual: check flow,Correct Input,Trust Mark status response TA RP,Does the TA Trust Mark Status endpoint effectively verify valid Trust Marks of RP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the RP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",TA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,,P,P,passed, +x,TA-Trust Mark status response TA OP-exposed-OP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response TA OP,HTTP 200 OK response containing the claim 'active' set to true,/ manual: status code,Correct Input,Trust Mark status response TA OP,Does the TA Trust Mark Status endpoint effectively verify valid Trust Marks of OP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the OP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",TA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,L,Return wrong status code,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Problema implementazione,F,F,failed,[SAME] Manca trust_mark in OP in EC o,TA-Trust Mark status response TA-revocated-trust_mark,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status endpoint request with invalidated Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response TA,Does the TA invalidate revocated trust marks,"In order to check if a TA correctly invalidate a Trust Mark, a Trust Mark revocation request on a Trust Mark has to be made and then the trust mark status endpoint must be fetched. If the response says that the trust mark is invalid, than it is correctly invalidated, otherwise the TA is not compliant with the specification",TA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,N_A,not_applicable, -x,TA-Trust Mark status response TA-not_valid-trust_mark-RP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response TA,Does the TA's trust mark status endpoint correctly refuses a not-valid id Trust Marks RP,"In order to check if the trust mark status endpoint of a TA correctly refuses invalid trust marks RP, a invalid trust mark can be sent to the endpoint and the response analyzed",TA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,,P,P,passed, -x,TA-Trust Mark status response TA-not_valid-trust_mark-OP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response TA,Does the TA's trust mark status endpoint correctly refuses a not-valid id Trust Marks OP,"In order to check if the trust mark status endpoint of a TA correctly refuses invalid trust marks OP, a invalid trust mark can be sent to the endpoint and the response analyzed",TA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,,P,P,passed, +x,TA-Trust Mark status response TA RP-not_valid-trust_mark-RP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response TA RP,Does the TA's trust mark status endpoint correctly refuses a not-valid id Trust Marks RP,"In order to check if the trust mark status endpoint of a TA correctly refuses invalid trust marks RP, a invalid trust mark can be sent to the endpoint and the response analyzed",TA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,,P,P,passed, +x,TA-Trust Mark status response TA OP-not_valid-trust_mark-OP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response TA OP,Does the TA's trust mark status endpoint correctly refuses a not-valid id Trust Marks OP,"In order to check if the trust mark status endpoint of a TA correctly refuses invalid trust marks OP, a invalid trust mark can be sent to the endpoint and the response analyzed",TA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,,P,P,passed, x,TA-Trust Mark status response TA-different-entity-trust_mark,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status invalid request,"Compliant if the Trust Mark status response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response TA,Does the TA checks Trust Marks not issued by the Entity,"In this test, a valid Trust Mark issued by another entity is sent to an TA. If it validates the Trust Mark, than is not compliant with the specifications",TA,,,trust mark status endpoint: allows an Entity to test if a TM is still active or not. The request MUST be sent to the subject that has released that TM.,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 - active: false x,RP-User logout-token-revocation,User's logout,Revocation request,Trigger User logout,"Compliant if the RP sends a Revocation Request regarding the access token, not compliant otherwise",HTTP parameter presence,Correct Input,User logout,Does the RP revoke the Token when the User logs out,"In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token",RP,,Revocation request | body | token,"When the user logs out, the RP MUST revoke the Access Token in its possession",SPID_CIE_OIDC#logout; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/logout.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, x,RP-Userinfo request-access-token,RP's UserInfo request,Userinfo request,Trigger Userinfo request,"Compliant if the the authorization field in the header of the UserInfo Request contains an Access Token, not compliant otherwise",HTTP parameter presence,Correct Input,Userinfo request,Does the RP contain the Access Token in the UserInfo request,The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token,RP,,UserInfo request | head | Authorization,"In order to obtain the requested claims, the RP sends a request to the UserInfo Endpoint using the Access Token",SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, From ab95d979db5adbf7f7f56a6c903d10a3b8e523cf Mon Sep 17 00:00:00 2001 From: marche271 Date: Fri, 5 Apr 2024 08:43:36 +0200 Subject: [PATCH 2/5] Clean update of tests --- .../input/mig-t/tests/single/AA/All_AA.json | 586 +- .../mig-t/tests/single/AA/All_AA_Passive.json | 586 +- .../mig-t/tests/single/ALL_Session1.json | 21574 ++++++++-------- .../input/mig-t/tests/single/OP/All_OP.json | 6792 ++--- .../mig-t/tests/single/OP/All_OP_Passive.json | 2324 +- .../input/mig-t/tests/single/PASSIVE.json | 13238 +++++----- .../input/mig-t/tests/single/RP/All_RP.json | 2540 +- .../mig-t/tests/single/RP/All_RP_Passive.json | 1976 +- ... request-JWT-header-alg-not_in_value.json} | 0 ...n request-JWT-header-client_id-value.json} | 0 .../RP-Token response-Assertion-aud-type.json | 41 - .../input/mig-t/tests/single/SA/All_SA.json | 2170 +- .../mig-t/tests/single/SA/All_SA_Passive.json | 2170 +- .../input/mig-t/tests/single/TA/All_TA.json | 3784 +-- .../mig-t/tests/single/TA/All_TA_Passive.json | 3644 +-- ..."}}},\"required\": [\"id_code\"]}\").json" | 46 - ...tity Statement response TA OP-exposed.json | 32 - ... response TA OP-trust_mark-sa_profile.json | 46 - ...tity Statement response TA RP-exposed.json | 32 - ... response TA RP-trust_mark-sa_profile.json | 46 - ...s response TA-valid-trust_mark-status.json | 32 - ...us response TA-valid-trust_mark-value.json | 32 - ...atus response-valid-trust_mark-status.json | 32 - ...tatus response-valid-trust_mark-value.json | 32 - ...nfo response-JWS-payload-aud-presence.json | 48 - testplans/spid-cie-oidc/testplan.csv | 4 +- 26 files changed, 30694 insertions(+), 31113 deletions(-) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/{RP-Authentication request-JWT-header-alg.json => RP-Authentication request-JWT-header-alg-not_in_value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/{RP-Authentication request-JWT-client_id-value.json => RP-Authentication request-JWT-header-client_id-value.json} (100%) delete mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Token response-Assertion-aud-type.json delete mode 100644 "testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/Entity Statement response TA OP | body | [^\\r\\n]* | payload | trust_marks | trust_mark | payload | | {\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}\").json" delete mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-exposed.json delete mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-sa_profile.json delete mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-exposed.json delete mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-sa_profile.json delete mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response TA-valid-trust_mark-status.json delete mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response TA-valid-trust_mark-value.json delete mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response-valid-trust_mark-status.json delete mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response-valid-trust_mark-value.json delete mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/tbcheck/[NON ESISTE] OP-Userinfo response-JWS-payload-aud-presence.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json index 32f39de..5f61c7f 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the AA's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -24,8 +24,13 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -37,8 +42,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -54,8 +59,13 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -67,8 +77,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -79,13 +89,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" } ] } @@ -97,8 +107,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -109,13 +119,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" } ] } @@ -127,8 +137,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" @@ -144,8 +154,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -157,8 +167,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -174,8 +184,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -187,8 +197,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -204,8 +214,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -217,8 +227,8 @@ }, { "test": { - "name": "Does the AA metadata contain op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -229,13 +239,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata.openid_provider.op_policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -247,8 +257,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -256,12 +266,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] } ] } @@ -271,8 +287,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -283,13 +299,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -301,8 +317,8 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -310,11 +326,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + } + ] } ] } @@ -324,8 +347,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -333,11 +356,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + } + ] } ] } @@ -347,8 +377,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -364,8 +394,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -377,8 +407,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -389,13 +419,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "is present": "true" } ] } @@ -407,8 +437,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -419,13 +449,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -437,8 +467,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -449,13 +479,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "is present": "true" } ] } @@ -467,8 +497,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -479,13 +509,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -497,8 +527,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -509,13 +539,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -527,8 +557,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -539,13 +569,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "is present": "true" } ] } @@ -557,8 +587,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -569,13 +599,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -587,8 +617,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -599,13 +629,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + "check": "$.metadata.oauth_authorization_server.issuer", + "is present": "true" } ] } @@ -617,8 +647,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -629,13 +659,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + "check": "$.metadata.oauth_authorization_server.jwks", + "is present": "true" } ] } @@ -647,8 +677,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -659,13 +689,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -677,8 +707,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -686,11 +716,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "is present": "true" + } + ] } ] } @@ -700,20 +737,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "is present": "true" + } + ] } ] } @@ -723,8 +767,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -740,11 +784,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -756,8 +797,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -773,10 +814,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -788,8 +827,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -805,11 +844,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata.oauth_resource.resource", + "is present": "true" } ] } @@ -821,8 +857,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -833,18 +869,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.oauth_authorization_server.response_types_supported", + "is present": "true" } ] } @@ -856,8 +887,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -868,18 +899,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.oauth_authorization_server.scopes_supported", + "is present": "true" } ] } @@ -891,8 +917,8 @@ }, { "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -908,7 +934,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "check": "$.metadata.oauth_authorization_server.token_endpoint", "is present": "true" } ] @@ -921,8 +947,8 @@ }, { "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -938,7 +964,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -951,8 +977,8 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -968,7 +994,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -981,8 +1007,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration AA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -993,13 +1019,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -1011,8 +1037,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -1020,18 +1046,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1041,8 +1060,8 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -1050,18 +1069,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1071,8 +1083,8 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -1080,18 +1092,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1101,27 +1106,20 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1131,8 +1129,8 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1143,12 +1141,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", + "check": "$.trust_marks", "is present": "true" } ] @@ -1161,8 +1159,8 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1173,12 +1171,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.exp", "is present": "true" } ] @@ -1191,8 +1189,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1203,12 +1201,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "check": "$.iat", "is present": "true" } ] @@ -1221,8 +1219,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1233,12 +1231,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "check": "$.iss", "is present": "true" } ] @@ -1251,8 +1249,8 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1263,12 +1261,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.jwks", "is present": "true" } ] @@ -1281,8 +1279,8 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1293,12 +1291,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata", "is present": "true" } ] @@ -1311,8 +1309,8 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1323,12 +1321,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_resource.resource", + "check": "$.sub", "is present": "true" } ] @@ -1341,8 +1339,8 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" @@ -1353,12 +1351,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", + "check": "$..metadata.openid_provider.op_policy_uri", "is present": "true" } ] @@ -1371,8 +1369,8 @@ }, { "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -1383,15 +1381,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_AA" } ] } @@ -1401,8 +1393,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1418,8 +1410,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -1432,7 +1427,7 @@ { "test": { "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -1448,8 +1443,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -1461,8 +1458,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -1478,8 +1475,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -1491,8 +1491,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -1500,12 +1500,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_AA" + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json index 32f39de..5f61c7f 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the AA's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -24,8 +24,13 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -37,8 +42,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -54,8 +59,13 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -67,8 +77,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -79,13 +89,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" } ] } @@ -97,8 +107,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -109,13 +119,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" } ] } @@ -127,8 +137,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" @@ -144,8 +154,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -157,8 +167,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -174,8 +184,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -187,8 +197,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -204,8 +214,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -217,8 +227,8 @@ }, { "test": { - "name": "Does the AA metadata contain op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -229,13 +239,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata.openid_provider.op_policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -247,8 +257,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -256,12 +266,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] } ] } @@ -271,8 +287,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -283,13 +299,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -301,8 +317,8 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -310,11 +326,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + } + ] } ] } @@ -324,8 +347,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -333,11 +356,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + } + ] } ] } @@ -347,8 +377,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -364,8 +394,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -377,8 +407,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -389,13 +419,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "is present": "true" } ] } @@ -407,8 +437,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -419,13 +449,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -437,8 +467,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -449,13 +479,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "is present": "true" } ] } @@ -467,8 +497,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -479,13 +509,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -497,8 +527,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -509,13 +539,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -527,8 +557,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -539,13 +569,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "is present": "true" } ] } @@ -557,8 +587,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -569,13 +599,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -587,8 +617,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -599,13 +629,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + "check": "$.metadata.oauth_authorization_server.issuer", + "is present": "true" } ] } @@ -617,8 +647,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -629,13 +659,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + "check": "$.metadata.oauth_authorization_server.jwks", + "is present": "true" } ] } @@ -647,8 +677,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -659,13 +689,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -677,8 +707,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -686,11 +716,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "is present": "true" + } + ] } ] } @@ -700,20 +737,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "is present": "true" + } + ] } ] } @@ -723,8 +767,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -740,11 +784,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -756,8 +797,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -773,10 +814,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -788,8 +827,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -805,11 +844,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata.oauth_resource.resource", + "is present": "true" } ] } @@ -821,8 +857,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -833,18 +869,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.oauth_authorization_server.response_types_supported", + "is present": "true" } ] } @@ -856,8 +887,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -868,18 +899,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.oauth_authorization_server.scopes_supported", + "is present": "true" } ] } @@ -891,8 +917,8 @@ }, { "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -908,7 +934,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "check": "$.metadata.oauth_authorization_server.token_endpoint", "is present": "true" } ] @@ -921,8 +947,8 @@ }, { "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -938,7 +964,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -951,8 +977,8 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -968,7 +994,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -981,8 +1007,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration AA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -993,13 +1019,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -1011,8 +1037,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -1020,18 +1046,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1041,8 +1060,8 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -1050,18 +1069,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -1071,8 +1083,8 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -1080,18 +1092,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1101,27 +1106,20 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1131,8 +1129,8 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1143,12 +1141,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", + "check": "$.trust_marks", "is present": "true" } ] @@ -1161,8 +1159,8 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1173,12 +1171,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.exp", "is present": "true" } ] @@ -1191,8 +1189,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1203,12 +1201,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "check": "$.iat", "is present": "true" } ] @@ -1221,8 +1219,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1233,12 +1231,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "check": "$.iss", "is present": "true" } ] @@ -1251,8 +1249,8 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1263,12 +1261,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.jwks", "is present": "true" } ] @@ -1281,8 +1279,8 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1293,12 +1291,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata", "is present": "true" } ] @@ -1311,8 +1309,8 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1323,12 +1321,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_resource.resource", + "check": "$.sub", "is present": "true" } ] @@ -1341,8 +1339,8 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" @@ -1353,12 +1351,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", + "check": "$..metadata.openid_provider.op_policy_uri", "is present": "true" } ] @@ -1371,8 +1369,8 @@ }, { "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -1383,15 +1381,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_AA" } ] } @@ -1401,8 +1393,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1418,8 +1410,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -1432,7 +1427,7 @@ { "test": { "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -1448,8 +1443,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -1461,8 +1458,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -1478,8 +1475,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -1491,8 +1491,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -1500,12 +1500,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_AA" + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json index 631b36b..024ba49 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json @@ -7,32 +7,25 @@ "tests": [ { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -44,32 +37,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -81,32 +67,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -118,32 +97,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -155,32 +127,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -192,32 +157,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -229,32 +187,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -266,32 +217,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -303,32 +247,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -340,32 +277,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -377,32 +307,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -414,32 +337,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", - "type": "passive", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -451,32 +367,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -488,32 +397,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -525,32 +427,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -562,32 +457,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -599,32 +487,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -636,32 +517,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -673,32 +547,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -710,32 +577,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -747,32 +607,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does entity configuration SA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_SA" } ] } @@ -784,36 +637,22 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] } ], "result": "correct flow s1" @@ -821,34 +660,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -858,34 +683,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -895,34 +706,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -932,34 +729,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -969,34 +752,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Statement response SA RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1006,34 +775,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1043,34 +798,20 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1080,32 +821,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1117,32 +852,26 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1154,32 +883,53 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "client_assertion", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -1191,32 +941,53 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -1236,7 +1007,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1266,7 +1037,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1296,7 +1067,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1326,7 +1097,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1356,7 +1127,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1386,7 +1157,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1408,15 +1179,15 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1425,7 +1196,7 @@ "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.trust_marks", "is present": "true" } ] @@ -1438,15 +1209,15 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1455,7 +1226,7 @@ "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.constraints", "is present": "true" } ] @@ -1468,15 +1239,15 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1485,7 +1256,7 @@ "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", + "check": "$.exp", "is present": "true" } ] @@ -1498,15 +1269,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1515,7 +1286,7 @@ "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.iat", "is present": "true" } ] @@ -1528,15 +1299,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1545,7 +1316,7 @@ "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.jwks", "is present": "true" } ] @@ -1558,15 +1329,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1575,7 +1346,7 @@ "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy", "is present": "true" } ] @@ -1588,15 +1359,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1605,7 +1376,7 @@ "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.sub", "is present": "true" } ] @@ -1618,15 +1389,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1635,7 +1406,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.iss", "is present": "true" } ] @@ -1648,15 +1419,15 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1665,7 +1436,7 @@ "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.trust_marks", "is present": "true" } ] @@ -1678,15 +1449,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1695,7 +1466,7 @@ "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.constraints", "is present": "true" } ] @@ -1708,15 +1479,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1725,7 +1496,7 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.exp", "is present": "true" } ] @@ -1738,15 +1509,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1755,7 +1526,7 @@ "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.iat", "is present": "true" } ] @@ -1768,15 +1539,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1785,7 +1556,7 @@ "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.jwks", "is present": "true" } ] @@ -1798,15 +1569,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1815,7 +1586,7 @@ "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy", "is present": "true" } ] @@ -1828,15 +1599,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1845,7 +1616,7 @@ "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.sub", "is present": "true" } ] @@ -1858,15 +1629,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1875,7 +1646,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.iss", "is present": "true" } ] @@ -1888,15 +1659,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1905,7 +1676,7 @@ "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.trust_marks", "is present": "true" } ] @@ -1918,25 +1689,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -1948,25 +1726,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -1978,25 +1763,32 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -2008,21 +1800,34 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -2032,25 +1837,32 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -2062,20 +1874,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -2085,20 +1911,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -2108,26 +1948,32 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2139,26 +1985,32 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2170,25 +2022,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2200,25 +2059,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -2230,25 +2096,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2260,25 +2133,32 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2290,25 +2170,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2320,25 +2207,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2350,25 +2244,32 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -2380,25 +2281,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -2410,25 +2318,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -2440,25 +2355,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -2470,25 +2392,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -2500,25 +2429,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -2530,25 +2466,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -2560,25 +2503,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -2590,25 +2540,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2620,25 +2577,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2650,25 +2614,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2680,25 +2651,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -2710,25 +2688,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2740,25 +2725,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2770,25 +2762,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2800,25 +2799,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2830,25 +2836,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -2860,27 +2873,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2890,27 +2897,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2920,27 +2921,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2950,103 +2945,105 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", - "type": "passive", - "sessions": [ + "result": [ "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response TA", - "checks": [ - { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" + ] } }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", + "message type": "Entity Configuration response SA", "checks": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -3056,20 +3053,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } + ] + } + ] } ] } @@ -3079,20 +3090,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] + } + ] } ] } @@ -3102,20 +3127,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] + } + ] } ] } @@ -3125,20 +3164,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] + } + ] } ] } @@ -3148,20 +3201,34 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] + } + ] } ] } @@ -3171,20 +3238,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] + } + ] } ] } @@ -3194,26 +3275,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -3226,29 +3312,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -3261,29 +3349,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -3296,26 +3386,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -3328,29 +3423,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -3363,29 +3460,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -3398,26 +3497,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -3430,29 +3534,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -3465,26 +3571,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -3497,29 +3608,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -3532,26 +3645,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } ] } ] @@ -3564,29 +3682,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } ] } ] @@ -3599,26 +3719,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -3631,29 +3756,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -3666,25 +3793,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -3696,25 +3830,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -3726,25 +3867,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] } ] } @@ -3756,25 +3904,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -3786,25 +3941,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -3816,25 +3978,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -3846,25 +4015,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -3876,25 +4052,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -3906,25 +4089,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -3936,25 +4126,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -3966,25 +4163,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -3996,25 +4200,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -4026,25 +4237,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -4056,25 +4274,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } + ] } ] } @@ -4086,2143 +4311,3319 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the client_id parameter", + "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", + "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the nonce parameter", + "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the scope parameter", + "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the state parameter", + "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.state", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", + "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", + "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", + "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", + "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", + "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", + "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", + "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "unsupported_response_type" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", + "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_scope" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.state", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the acr_values parameter", + "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the aud parameter", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the claims parameter", + "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the exp parameter", + "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iat parameter", + "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is present": "true" - } + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iss parameter", + "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the prompt parameter", + "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", + "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the response_type parameter", + "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the OP refuse an RP without trusted Trust Marks", + "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.trust_marks", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", + "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", - "type": "passive", + "name": "Does the OP correctly validate the trust chain of an RP authentication request", + "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.authority_hints", + "value": "https://www.wrongsite.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_client" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", - "type": "passive", + "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", + "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Request with a wrong redirect URI", + "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.aud[0]", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", - "type": "passive", + "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", - "type": "passive", + "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] + } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", - "type": "passive", + "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", - "type": "passive", + "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", - "type": "passive", + "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", - "type": "passive", + "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", - "type": "passive", + "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", - "type": "passive", + "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", - "type": "passive", + "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": [ - "s1" - ] + "result": "assert_only" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": [ - "s1" - ] + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6231,9 +7632,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" ] } ] @@ -6246,15 +7647,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6263,10 +7664,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -6279,15 +7682,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6296,13 +7699,15 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -6312,15 +7717,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6329,10 +7734,12 @@ "checks": [ { "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -6345,15 +7752,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6362,10 +7769,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -6378,15 +7787,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6395,10 +7804,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" ] } ] @@ -6411,15 +7819,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6428,9 +7836,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -6443,26 +7854,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" ] } ] @@ -6475,29 +7891,28 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -6510,26 +7925,27 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" + "in": "header", + "check": "$.alg", + "is in": [ + "RS256", + "RS512" ] } ] @@ -6542,15 +7958,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6559,10 +7975,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -6574,15 +7988,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6591,11 +8005,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -6607,15 +8018,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6624,11 +8035,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -6640,28 +8048,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -6673,15 +8078,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6690,11 +8095,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" } ] } @@ -6706,27 +8108,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" } ] } @@ -6738,28 +8138,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" - ] + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -6771,15 +8168,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6788,10 +8185,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } @@ -6803,15 +8198,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6820,11 +8215,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -6836,27 +8228,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -6868,27 +8258,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -6900,27 +8288,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -6932,28 +8318,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -6965,27 +8348,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -6997,28 +8378,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -7030,27 +8408,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } @@ -7062,27 +8438,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } @@ -7094,28 +8468,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -7127,28 +8498,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -7160,28 +8528,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata.openid_provider.issuer", + "is present": "true" } ] } @@ -7193,28 +8558,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.openid_provider.jwks", + "is present": "true" } ] } @@ -7226,27 +8588,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" } ] } @@ -7258,28 +8618,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.openid_provider.acr_values_supported", + "is present": "true" } ] } @@ -7291,28 +8648,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata.openid_provider.authorization_endpoint", + "is present": "true" } ] } @@ -7324,28 +8678,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "is present": "true" } ] } @@ -7357,28 +8708,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -7390,28 +8738,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -7423,60 +8768,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", - "sessions": [ - "s1" + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", + "sessions": [ + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "iss", - "contains": "valid_iss" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported", + "is present": "true" } ] } @@ -7488,60 +8798,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "iss", - "contains": "valid_iss" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -7553,21 +8828,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -7577,21 +8858,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "is present": "true" + } + ] } ] } @@ -7601,21 +8888,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -7625,24 +8918,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.metadata.openid_provider.introspection_endpoint", "is present": "true" } ] @@ -7655,24 +8948,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -7685,24 +8978,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -7715,24 +9008,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -7745,24 +9038,24 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", "is present": "true" } ] @@ -7775,24 +9068,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -7805,24 +9098,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -7835,24 +9128,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", "is present": "true" } ] @@ -7865,24 +9158,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.redirect_uri", + "check": "$.metadata.openid_provider.claims_supported", "is present": "true" } ] @@ -7895,24 +9188,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.response_type", + "check": "$.metadata.openid_provider.claims_parameter_supported", "is present": "true" } ] @@ -7925,24 +9218,24 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.metadata.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -7955,24 +9248,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.state", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", "is present": "true" } ] @@ -7985,24 +9278,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.ui_locales", + "check": "$.metadata.openid_provider.client_registration_types_supported", "is present": "true" } ] @@ -8015,24 +9308,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", "is present": "true" } ] @@ -8045,24 +9338,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.openid_provider.response_modes_supported", "is present": "true" } ] @@ -8075,24 +9368,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.openid_provider.response_types_supported", "is present": "true" } ] @@ -8105,24 +9398,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.openid_provider.revocation_endpoint", "is present": "true" } ] @@ -8135,24 +9428,24 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", "is present": "true" } ] @@ -8165,24 +9458,24 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata.openid_provider.scopes_supported", "is present": "true" } ] @@ -8195,24 +9488,24 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.openid_provider.subject_types_supported", "is present": "true" } ] @@ -8225,24 +9518,24 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.openid_provider.token_endpoint", "is present": "true" } ] @@ -8255,24 +9548,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", "is present": "true" } ] @@ -8285,24 +9578,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", "is present": "true" } ] @@ -8315,24 +9608,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.openid_provider.userinfo_endpoint", "is present": "true" } ] @@ -8345,24 +9638,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", "is present": "true" } ] @@ -8375,25 +9668,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" } ] } @@ -8405,25 +9698,25 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } @@ -8435,21 +9728,27 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" + } + ] } ] } @@ -8459,20 +9758,27 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is": "X_url_OP" + } + ] } ] } @@ -8482,20 +9788,20 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "checks": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "in": "head", + "check": "Content-Type", + "is": "application/json" } ] } @@ -8505,20 +9811,20 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "checks": [ { - "in": "url", - "is present": true, - "check": "client_id" + "in": "body", + "check": "token_type", + "is": "Bearer" } ] } @@ -8528,551 +9834,790 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the request parameter", + "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Authentication request", + "edit operations": [ + { + "from": "url", + "value": "", + "edit": "request" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { - "in": "url", - "is present": true, - "check": "response_type" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the scope parameter in the URL", + "description": "An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request)", + "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ + { + "from": "url", + "value": "", + "edit": "scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with the request parameter that is not a JWT", + "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed", + "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ + { + "from": "url", + "value": "example", + "edit": "request" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT", + "description": "The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged", + "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ + { + "from": "url", + "value": "openid", + "edit": "scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", - "type": "passive", + "name": "Does the OP accept introspection requests without the client assertion", + "description": "A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed", + "type": "active", "sessions": [ "s_CIE_introsp" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "is present": true, - "check regex": "client_id" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", - "type": "passive", + "name": "Does the OP accept introspection requests without the client assertion type", + "description": "An introspection request without the client_assertion_type parameter is sent and the response analyzed", + "type": "active", "sessions": [ "s_CIE_introsp" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "is present": true, - "check regex": "token" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", - "type": "passive", + "name": "Does the OP accept introspection requests without the client id", + "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.", + "type": "active", "sessions": [ "s_CIE_introsp" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Introspection request", - "checks": [ + "edit operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Revocation request", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "is present": true, - "check regex": "client_assertion" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", - "type": "passive", + "name": "How does the OP behave when receiving an introspection request without the token", + "description": "An introspection request without a token is sent and the introspection response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "value": "", + "edit regex": "(?<=token=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Revocation request", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "is present": true, - "check regex": "client_id" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", - "type": "passive", + "name": "Does the OP accept introspection requests with a wrong client assertion type", + "description": "An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Revocation request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "X_wrong_value", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "is present": true, - "check regex": "token" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", - "type": "passive", + "name": "Does the OP verify the client id of the Introspection Request", + "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "https://www.example.com/", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "is present": true, - "check regex": "client_assertion" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", - "type": "passive", + "name": "Does the OP verify the parameters of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "X_wrong_value", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", - "type": "passive", + "name": "How does the OP behave when receiving an introspection request with a wrong token", + "description": "An introspection request with a token not valid is sent and the introspection response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "X_not_valid_tkn", + "edit regex": "(?<=token=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "is present": true, - "check regex": "client_id" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", - "type": "passive", + "name": "Does the OP verify the presence of token in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ - { - "in": "body", - "is present": true, - "check regex": "code" + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=token=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token request", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "is present": true, - "check regex": "code_verifier" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", - "type": "passive", + "name": "Does the OP accept revocation request without the client assertion", + "description": "In order to verify if the OP checks the presence of the client_assertion parameter in a revocation request, such a request is sent without the client_assertion and the OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "is present": true, - "check regex": "grant_type" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", - "type": "passive", + "name": "Does the OP accept Revocation Requests without the client assertion type", + "description": "To test if an OP verifies the presence of the client assertion type in the Revocation request, a request withiout client assertion type is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Revocation request", - "checks": [ + "edit operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "UserInfo request", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ { "in": "head", - "is present": true, - "check param": "Authorization" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct value of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", - "type": "passive", + "name": "Does the OP accept Revocation Requests without the client id", + "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is": "x_https_RP" - } - ] + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is": "X_url_RP" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", - "type": "passive", + "name": "Does the OP verify the client assertion type of the Revocation Request", + "description": "To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "value": "urn-ietf", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the JWT payload contain a correct sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", + "name": "Does the OP verify the client id of the Revocation Request", + "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", "type": "active", "sessions": [ "s1" @@ -9086,544 +10631,545 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", - "decode operations": [ + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ], - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.sub", - "contains": "saved_iss" - } - ] + "value": "https://www.example.com/", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", - "type": "passive", + "name": "Does the token response to a token request made without the client_assertion parameter return a Token Error response", + "description": "This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Token request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" - ] + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", - "type": "passive", + "name": "Does the token response to a token request made without the client_assertion_type parameter return a Token Error response", + "description": "This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Authentication request", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", - "type": "passive", + "name": "Does the OP require the client_id in the token request", + "description": "This test consists in sending a token request without the client_id parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", - "type": "passive", + "name": "Does the token response to a token request made without the code parameter return a Token Error response", + "description": "This test consists in sending a token request without the code parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "value": "", + "edit regex": "(?<=code=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_grant" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", - "type": "passive", + "name": "Does the token response to a token request made without the code_verifier parameter return a Token Error response", + "description": "This test consists in sending a token request without the code_verifier parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" - } - ] + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=code_verifier=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_grant" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", - "type": "passive", + "name": "Does the token response to a token request made without the grant_type parameter return a Token Error response", + "description": "This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" - } - ] + "value": "", + "edit regex": "(?<=grant_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", - "type": "passive", + "name": "Does the token response to a token request made with an incorrect client_assertion_type parameter return a Token Error response", + "description": "This test consists in sending a token request with a wrong client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" - } - ] + "value": "urn-aert", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", - "type": "passive", + "name": "Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response", + "description": "This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" - } - ] + "value": "X_wrong_code", + "edit regex": "(?<=code=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_grant" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", - "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", - "type": "passive", + "name": "Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response", + "description": "This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" - } - ] + "value": "X_wrong_code", + "edit regex": "(?<=code_verifier=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", - "type": "passive", + "name": "Does the OP checks that the token request contains the grant_type parameter set correctly", + "description": "In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + "session": "s1", + "action": "start" + }, { - "message type": "Entity Configuration response RP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" - } - ] + "value": "example", + "edit regex": "(?<=grant_type=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token request", - "decode operations": [ + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" - } - ] + "in": "body", + "check": "unsupported_grant_type" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", - "type": "passive", + "name": "Does the OP check the client_id in the request", + "description": "In this test the client_id parameter in the URL of the token request is removed and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Token request", - "decode operations": [ + "edit operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token request", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Revocation Request contain correct client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "How does the OP behave when the token in the userinfo request is missing", + "description": "A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed", "type": "active", "sessions": [ "s1" @@ -9637,12 +11183,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", + "message type": "UserInfo request", "edit operations": [ { - "from": "body", - "value": "https://example.com", - "edit regex": "(?<=client_id=)([^&]+)" + "from": "head", + "value": "", + "edit": "Authorization" } ] }, @@ -9650,15 +11196,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "UserInfo response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } @@ -9668,20 +11214,20 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "checks": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -9691,20 +11237,20 @@ }, { "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "checks": [ { - "in": "body", - "check": "client_id", - "is": "X_url_RP" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -9714,20 +11260,20 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Revocation response", "checks": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -9737,20 +11283,20 @@ }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Token response", "checks": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -9760,20 +11306,20 @@ }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Token response", "checks": [ { - "in": "body", - "check": "client_id", - "is": "X_https_RP" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -9783,19 +11329,19 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication response", "checks": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", "is present": "true" } ] @@ -9806,19 +11352,19 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "checks": [ { "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", "is present": "true" } ] @@ -9852,19 +11398,19 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Token response", "checks": [ { "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", "is present": "true" } ] @@ -9875,19 +11421,19 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Token response", "checks": [ { "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", "is present": "true" } ] @@ -9898,19 +11444,19 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "UserInfo response", "checks": [ { "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", "is present": "true" } ] @@ -9921,20 +11467,20 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the Introspection Endpoint Response have the active parameter", + "description": "To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "message type": "Introspection response", "checks": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "in": "body", + "is present": true, + "check regex": "active" } ] } @@ -9944,20 +11490,20 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the Introspection Endpoint returns true on active tokens", + "description": "To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "UserInfo request", + "message type": "Introspection response", "checks": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "in": "body", + "is present": true, + "check regex": "\"active\": true" } ] } @@ -9967,29 +11513,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -9999,30 +11536,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -10032,30 +11559,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -10065,30 +11582,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -10098,30 +11605,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -10131,29 +11628,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -10163,30 +11651,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "head", + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -10196,28 +11674,53 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", - "type": "passive", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.iss", + "contains": "saved_iss" } ] } @@ -10229,60 +11732,50 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the OP issue refresh tokens even when it is not supposed to", + "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "check": "refresh_token", + "is present": false } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -10294,15 +11787,15 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -10311,10 +11804,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -10326,20 +11817,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -10349,20 +11847,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -10372,20 +11877,27 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] } ] } @@ -10395,24 +11907,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", + "check": "$.sub", "is present": "true" } ] @@ -10425,24 +11937,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", + "check": "$.authority_hints", "is present": "true" } ] @@ -10455,24 +11967,24 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.trust_marks", "is present": "true" } ] @@ -10485,24 +11997,24 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -10515,24 +12027,24 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -10545,24 +12057,24 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "in": "header", + "check": "$.typ", "is present": "true" } ] @@ -10575,24 +12087,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "check": "$.aud", "is present": "true" } ] @@ -10605,24 +12117,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "check": "$.client_id", "is present": "true" } ] @@ -10635,24 +12147,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", + "check": "$.exp", "is present": "true" } ] @@ -10665,24 +12177,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'grant_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", + "check": "$.iat", "is present": "true" } ] @@ -10695,24 +12207,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", + "check": "$.iss", "is present": "true" } ] @@ -10725,24 +12237,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "check": "$.jti", "is present": "true" } ] @@ -10755,24 +12267,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "check": "$.scope", "is present": "true" } ] @@ -10785,24 +12297,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", + "check": "$.sub", "is present": "true" } ] @@ -10815,24 +12327,24 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -10845,24 +12357,24 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -10875,24 +12387,24 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.acr", "is present": "true" } ] @@ -10905,24 +12417,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "check": "$.at_hash", "is present": "true" } ] @@ -10935,24 +12447,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "check": "$.aud", "is present": "true" } ] @@ -10965,24 +12477,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "check": "$.exp", "is present": "true" } ] @@ -10995,24 +12507,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "check": "$.iat", "is present": "true" } ] @@ -11025,24 +12537,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", + "check": "$.iss", "is present": "true" } ] @@ -11055,30 +12567,25 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.jti", + "is present": "true" } ] } @@ -11090,27 +12597,25 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" - ] + "check": "$.nonce", + "is present": "true" } ] } @@ -11122,30 +12627,25 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -11157,55 +12657,43 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", - "type": "active", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.client_id", - "as": "client_id" - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "client_id" - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -11215,55 +12703,43 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", - "type": "active", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.redirect_uri", - "as": "redirect_uris" - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token response have Cache-Control set to 'no-store'", + "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "contains": "redirect_uris" - } - ] + "in": "head", + "check param": "Cache-Control", + "contains": "no-store" } ] } @@ -11273,8 +12749,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", "type": "active", "sessions": [ "s1" @@ -11289,18 +12765,11 @@ "from session": "s1", "then": "forward", "message type": "Authentication request", - "decode operations": [ + "message operations": [ { "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.response_type", - "as": "response_types_supported" - } - ] + "save": "client_id", + "as": "auth_client_id" } ] }, @@ -11308,18 +12777,18 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "contains": "response_types_supported" + "check": "client_id", + "is": "auth_client_id", + "use variable": "true" } ] } @@ -11331,8 +12800,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", + "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", "type": "active", "sessions": [ "s1" @@ -11347,18 +12816,11 @@ "from session": "s1", "then": "forward", "message type": "Authentication request", - "decode operations": [ + "message operations": [ { "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "iss" - } - ] + "save": "scope", + "as": "auth_scope" } ] }, @@ -11366,18 +12828,18 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "iss" + "check": "scope", + "is": "auth_scope", + "use variable": "true" } ] } @@ -11389,55 +12851,45 @@ }, { "test": { - "name": "Does the JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", - "type": "active", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.metadata.openid_relying_party.client_id", - "as": "client_id" - } - ] + "jwt check sig": "X_key_OP" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "client_id" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -11447,8 +12899,32 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "jwt check sig": "X_key_core_OP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", + "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", "type": "active", "sessions": [ "s1" @@ -11462,19 +12938,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "message operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ] + "edit": "(?<=token=)([^&]+)", + "in": "123.123.123" } ] }, @@ -11482,20 +12951,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", - "decode operations": [ + "message type": "Revocation response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.aud[0]", - "contains": "saved_iss" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -11505,32 +12966,28 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.metadata.openid_provider.acr_values_supported[0]", "is in": [ "https://www.spid.gov.it/SpidL1", "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + "https://www.spid.gov.it/SpidL3" ] } ] @@ -11543,27 +13000,26 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", "is in": [ - "consent", - "consent login" + "S256" ] } ] @@ -11576,31 +13032,27 @@ }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.metadata.openid_provider.grant_types_supported[0]", "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" + "refresh_token", + "authorization_code" ] } ] @@ -11613,29 +13065,27 @@ }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -11648,21 +13098,30 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_RP" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -11672,21 +13131,30 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_core_RP" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -11696,31 +13164,26 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" ] } ] @@ -11733,31 +13196,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -11770,31 +13229,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" ] } ] @@ -11807,31 +13261,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -11844,31 +13294,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -11881,31 +13327,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" ] } ] @@ -11918,31 +13359,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" ] } ] @@ -11955,31 +13392,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" ] } ] @@ -11992,31 +13424,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" ] } ] @@ -12029,31 +13456,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" ] } ] @@ -12066,31 +13491,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" ] } ] @@ -12103,31 +13523,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -12140,31 +13556,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -12177,31 +13589,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" ] } ] @@ -12214,31 +13622,28 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Token response", "decode operations": [ { "from": "body", + "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } + "in": "payload", + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" ] } ] @@ -12251,34 +13656,21 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -12288,34 +13680,21 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } @@ -12325,36 +13704,35 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] - } - ] - } - ] + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] } ], "result": "correct flow s1" @@ -12362,32 +13740,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "header", + "check": "$.cty", + "is": "JWT" } ] } @@ -12399,73 +13771,103 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "jwt from": "header", + "jwt edit": "alg", + "value": "none" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", - "type": "passive", + "name": "Does the OP refuse wrongly signed Authentication Requests", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "jwt sign": "X_wrong_key" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "unauthorized_client" + } + ] } ], "result": "correct flow s1" @@ -12473,36 +13875,50 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", - "type": "passive", + "name": "Does the OP verify the signature of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "jwt sign": "X_wrong_key" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], "result": "correct flow s1" @@ -12510,36 +13926,50 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", - "type": "passive", + "name": "Does the OP verify the signature of the client assertion in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "jwt sign": "X_wrong_key" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], "result": "correct flow s1" @@ -12547,71 +13977,48 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", - "type": "passive", + "name": "Does the token response to a token request made with a wrong signature return a Token Error response", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "jwt sign": "X_wrong_key" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } @@ -12621,36 +14028,50 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", - "type": "passive", + "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "jwt sign": "X_wrong_key" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], "result": "correct flow s1" @@ -12658,32 +14079,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -12695,32 +14110,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "header", + "check": "$.cty", + "is present": "true" } ] } @@ -12732,32 +14141,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "header", + "check": "$.enc", + "is present": "true" } ] } @@ -12769,32 +14172,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -12806,31 +14203,29 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token response", "decode operations": [ { "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -12843,31 +14238,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token response", "decode operations": [ { "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -12880,15 +14273,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -12897,8 +14290,10 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -12910,27 +14305,20 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -12940,27 +14328,20 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -12970,27 +14351,20 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -13000,25 +14374,33 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + ] } ] } @@ -13030,25 +14412,28 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.prompt", + "is in": [ + "consent", + "consent login" + ] } ] } @@ -13060,25 +14445,32 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" + ] } ] } @@ -13090,25 +14482,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" } ] } @@ -13120,25 +14512,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" } ] } @@ -13150,15 +14542,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -13167,8 +14559,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -13180,15 +14572,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -13197,8 +14589,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -13210,15 +14602,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -13227,8 +14619,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -13240,25 +14632,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -13270,25 +14662,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -13300,25 +14692,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" } ] } @@ -13330,15 +14722,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -13347,8 +14739,8 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" } ] } @@ -13360,15 +14752,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -13377,8 +14769,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" } ] } @@ -13390,25 +14782,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -13420,25 +14812,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" } ] } @@ -13450,15 +14842,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -13467,8 +14859,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" } ] } @@ -13480,25 +14872,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" } ] } @@ -13510,25 +14902,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -13540,25 +14932,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -13570,21 +14962,27 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" + } + ] } ] } @@ -13594,25 +14992,25 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "check": "$.metadata.openid_relying_party.client_registration_types", + "is present": "true" } ] } @@ -13624,20 +15022,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" + } + ] } ] } @@ -13647,20 +15052,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" + } + ] } ] } @@ -13670,26 +15082,25 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" } ] } @@ -13701,26 +15112,25 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -13732,25 +15142,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is present": "true" } ] } @@ -13762,25 +15172,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is present": "true" } ] } @@ -13792,25 +15202,25 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.openid_relying_party.redirect_uris", + "is present": "true" } ] } @@ -13822,25 +15232,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" } ] } @@ -13852,25 +15262,25 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } @@ -13882,25 +15292,25 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "is present": "true" } ] } @@ -13912,25 +15322,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is present": "true" } ] } @@ -13942,25 +15352,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } @@ -13972,25 +15382,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -14002,25 +15412,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -14032,25 +15442,25 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -14062,153 +15472,15 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response SA", - "checks": [ - { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Listing response", - "checks": [ - { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response SA OP", - "checks": [ - { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response SA RP", - "checks": [ - { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ - { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Resolve Entity Statement response", - "checks": [ - { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -14217,7 +15489,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", "is present": "true" } ] @@ -14230,15 +15502,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -14247,7 +15519,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", "is present": "true" } ] @@ -14260,15 +15532,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -14277,7 +15549,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", "is present": "true" } ] @@ -14290,15 +15562,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -14307,7 +15579,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", "is present": "true" } ] @@ -14320,15 +15592,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -14337,7 +15609,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.metadata.openid_relying_party.response_types", "is present": "true" } ] @@ -14350,25 +15622,25 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" } ] } @@ -14380,25 +15652,25 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration RP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.sub", + "is": "X_url_RP" } ] } @@ -14410,27 +15682,20 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -14440,27 +15705,20 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" - } - ] + "in": "body", + "check": "client_id", + "is": "X_url_RP" } ] } @@ -14470,34 +15728,20 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -14507,34 +15751,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -14544,34 +15774,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "body", + "check": "client_id", + "is": "X_https_RP" } ] } @@ -14581,71 +15797,66 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", - "type": "passive", + "name": "Does the Revocation Request contain correct client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "value": "https://example.com", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -14655,34 +15866,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -14692,34 +15889,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -14729,34 +15912,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -14766,34 +15935,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -14803,34 +15958,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -14840,34 +15981,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -14877,34 +16004,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -14914,34 +16027,20 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] - } - ] + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -14951,34 +16050,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] - } - ] + "in": "head", + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -14988,34 +16073,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] - } - ] + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -15025,34 +16096,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] - } - ] + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } @@ -15062,34 +16119,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] - } - ] + "message type": "Authentication request", + "checks": [ + { + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -15099,34 +16142,20 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -15136,34 +16165,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -15173,34 +16188,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -15210,34 +16211,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -15247,34 +16234,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -15284,34 +16257,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -15321,34 +16280,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -15358,34 +16303,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -15395,34 +16326,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -15432,34 +16349,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -15469,34 +16372,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -15506,34 +16395,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -15543,34 +16418,20 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -15580,34 +16441,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -15617,34 +16464,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "code" } ] } @@ -15654,34 +16487,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -15691,34 +16510,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -15728,8 +16533,54 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Revocation request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "token" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "UserInfo request", + "checks": [ + { + "in": "head", + "is present": true, + "check param": "Authorization" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", "type": "active", "sessions": [ "s1" @@ -15743,17 +16594,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { "from": "url", - "decode param": "client_assertion", + "decode param": "request", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "jwt save": "$.client_id", + "as": "client_id" } ] } @@ -15763,7 +16614,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -15773,8 +16624,8 @@ { "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "check": "$.metadata.openid_relying_party.client_id", + "contains": "client_id" } ] } @@ -15786,8 +16637,8 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", "type": "active", "sessions": [ "s1" @@ -15801,17 +16652,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { "from": "url", - "decode param": "client_assertion", + "decode param": "request", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "jwt save": "$.redirect_uri", + "as": "redirect_uris" } ] } @@ -15821,7 +16672,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -15831,8 +16682,8 @@ { "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "check": "$.metadata.openid_relying_party.redirect_uris", + "contains": "redirect_uris" } ] } @@ -15844,153 +16695,113 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "jwt from": "payload", + "jwt save": "$.response_type", + "as": "response_types_supported" } ] } ] - } - ], - "result": [ - "s1" - ] - } - }, - { - "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response SA RP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "use variable": "true", + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types[0]", + "contains": "response_types_supported" } ] } ] } ], - "result": [ - "s1" - ] - } - }, - { - "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response SA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_SA" - } - ] - } - ], "result": "correct flow s1" } }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "jwt check sig": "X_key_SA" + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "iss" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response SA RP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "contains": "iss" + } + ] } ] } @@ -16000,8 +16811,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", + "name": "Does the JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", "type": "active", "sessions": [ "s1" @@ -16015,17 +16826,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "edits": [ { - "jwt from": "header", - "jwt edit": "alg", - "value": "none" + "jwt from": "payload", + "jwt save": "$.metadata.openid_relying_party.client_id", + "as": "client_id" } ] } @@ -16035,43 +16846,76 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Token request", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "client_id" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", - "type": "passive", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.aud[0]", + "contains": "saved_iss" } ] } @@ -16083,24 +16927,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.acr_values", "is present": "true" } ] @@ -16113,24 +16957,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.aud", "is present": "true" } ] @@ -16143,24 +16987,24 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.exp", "is present": "true" } ] @@ -16173,24 +17017,24 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.client_id", "is present": "true" } ] @@ -16203,24 +17047,24 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.sub", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -16233,24 +17077,24 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.authority_hints", + "check": "$.iat", "is present": "true" } ] @@ -16263,24 +17107,24 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.nonce", "is present": "true" } ] @@ -16293,24 +17137,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.prompt", "is present": "true" } ] @@ -16323,24 +17167,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.redirect_uri", "is present": "true" } ] @@ -16353,24 +17197,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.typ", + "in": "payload", + "check": "$.response_type", "is present": "true" } ] @@ -16383,24 +17227,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.scope", "is present": "true" } ] @@ -16413,24 +17257,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.state", "is present": "true" } ] @@ -16443,24 +17287,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.ui_locales", "is present": "true" } ] @@ -16473,24 +17317,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.iss", "is present": "true" } ] @@ -16503,24 +17347,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.exp", "is present": "true" } ] @@ -16533,24 +17377,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.iat", "is present": "true" } ] @@ -16563,24 +17407,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.iss", "is present": "true" } ] @@ -16593,24 +17437,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.jwks", "is present": "true" } ] @@ -16623,24 +17467,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.metadata", "is present": "true" } ] @@ -16653,24 +17497,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.sub", "is present": "true" } ] @@ -16683,24 +17527,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", + "check": "$.trust_marks", "is present": "true" } ] @@ -16713,24 +17557,24 @@ }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.at_hash", + "check": "$.aud", "is present": "true" } ] @@ -16743,24 +17587,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.exp", "is present": "true" } ] @@ -16773,24 +17617,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.iat", "is present": "true" } ] @@ -16803,24 +17647,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.jti", "is present": "true" } ] @@ -16833,24 +17677,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.sub", "is present": "true" } ] @@ -16863,24 +17707,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.iss", "is present": "true" } ] @@ -16893,26 +17737,22 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.nonce", - "is present": "true" - } + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" ] } ] @@ -16923,25 +17763,30 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -16953,46 +17798,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", - "type": "active", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "message operations": [ - { - "from": "url", - "save": "client_id", - "as": "auth_client_id" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "client_id", - "is": "auth_client_id", - "use variable": "true" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" + ] } ] } @@ -17004,46 +17830,30 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", - "type": "active", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "message operations": [ - { - "from": "url", - "save": "scope", - "as": "auth_scope" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "scope", - "is": "auth_scope", - "use variable": "true" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -17055,21 +17865,21 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_RP" } ] } @@ -17079,44 +17889,21 @@ }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Introspection Endpoint Response have the active parameter", - "description": "To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ - { - "message type": "Introspection response", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "active" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "jwt check sig": "X_key_core_RP" } ] } @@ -17126,20 +17913,29 @@ }, { "test": { - "name": "Does the Introspection Endpoint returns true on active tokens", - "description": "To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "\"active\": true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] + } + ] } ] } @@ -17149,20 +17945,30 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] + } + ] } ] } @@ -17172,20 +17978,30 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] + } + ] } ] } @@ -17195,20 +18011,30 @@ }, { "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -17218,20 +18044,30 @@ }, { "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "expires_in" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -17241,20 +18077,29 @@ }, { "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "id_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] + } + ] } ] } @@ -17264,20 +18109,30 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] + } + ] } ] } @@ -17287,20 +18142,30 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -17310,25 +18175,28 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -17340,25 +18208,27 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] } ] } @@ -17370,27 +18240,21 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", - "is": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -17400,25 +18264,40 @@ }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", - "type": "passive", + "name": "Does the JWT payload contain a correct sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ], "checks": [ { + "use variable": "true", "in": "payload", "check": "$.sub", - "is": "X_url_OP" + "contains": "saved_iss" } ] } @@ -17430,20 +18309,32 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -17453,20 +18344,31 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", + "is subset of": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] + } + ] } ] } @@ -17476,20 +18378,29 @@ }, { "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is subset of": [ + "S256" + ] + } + ] } ] } @@ -17499,20 +18410,30 @@ }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", + "is subset of": [ + "refresh_token", + "authorization_code" + ] + } + ] } ] } @@ -17522,20 +18443,30 @@ }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -17545,3344 +18476,1940 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the client_id parameter", - "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", - "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the nonce parameter", - "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter", - "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the state parameter", - "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", - "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", - "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", - "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", - "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681723540" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", - "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681723540" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "19az" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", - "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", - "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "unsupported_response_type" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", - "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_scope" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "19az" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the acr_values parameter", - "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the aud parameter", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the claims parameter", - "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the exp parameter", - "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iat parameter", - "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA SA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iss parameter", - "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA SA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the prompt parameter", - "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA SA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", - "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA SA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the response_type parameter", - "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA SA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse an RP without trusted Trust Marks", - "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.trust_marks", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", - "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA SA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly validate the trust chain of an RP authentication request", - "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.authority_hints", - "value": "https://www.wrongsite.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_client" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", - "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA SA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Request with a wrong redirect URI", - "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA SA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud[0]", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", - "type": "active", - "sessions": [ - "s_CIE_introsp" + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.organization_type", + "is in": [ + "public", + "private" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\n\\r]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", - "type": "active", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\n\\r]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", - "type": "active", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "https://www.example.com" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", - "type": "active", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681716340" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681716340" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "https://www.example.com" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", - "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "message operations": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { "from": "body", - "edit": "(?<=token=)([^&]+)", - "in": "123.123.123" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -20892,50 +20419,29 @@ }, { "test": { - "name": "Does the OP refuse wrongly signed Authentication Requests", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "unauthorized_client" - } - ] } ], "result": "correct flow s1" @@ -20943,50 +20449,29 @@ }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -20994,50 +20479,29 @@ }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -21045,50 +20509,29 @@ }, { "test": { - "name": "Does the token response to a token request made with a wrong signature return a Token Error response", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -21096,50 +20539,29 @@ }, { "test": { - "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -21147,40 +20569,45 @@ }, { "test": { - "name": "Does the OP issue refresh tokens even when it is not supposed to", - "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "refresh_token", - "is present": false + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + } + ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -21189,8 +20616,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -21202,15 +20629,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -21219,8 +20646,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21232,15 +20659,15 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -21249,8 +20676,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21262,25 +20689,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21292,15 +20719,15 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -21309,8 +20736,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21322,25 +20749,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21352,25 +20779,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21382,15 +20809,15 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -21399,8 +20826,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -21412,15 +20839,15 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -21429,8 +20856,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21442,25 +20869,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } @@ -21472,25 +20899,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -21502,25 +20929,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -21532,25 +20959,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -21562,25 +20989,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -21592,25 +21019,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -21622,25 +21049,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -21652,25 +21079,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -21682,25 +21109,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -21712,26 +21139,26 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" + } ] } ] @@ -21742,1400 +21169,1459 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the request parameter", - "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed", - "type": "active", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "edit operations": [ - { - "from": "url", - "value": "", - "edit": "request" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.constraints.max_path_length", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter in the URL", - "description": "An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request)", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "edit operations": [ - { - "from": "url", - "value": "", - "edit": "scope" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with the request parameter that is not a JWT", - "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "edit operations": [ - { - "from": "url", - "value": "example", - "edit": "request" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT", - "description": "The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "edit operations": [ - { - "from": "url", - "value": "openid", - "edit": "scope" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept introspection requests without the client assertion", - "description": "A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept introspection requests without the client assertion type", - "description": "An introspection request without the client_assertion_type parameter is sent and the response analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept introspection requests without the client id", - "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "How does the OP behave when receiving an introspection request without the token", - "description": "An introspection request without a token is sent and the introspection response analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=token=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept introspection requests with a wrong client assertion type", - "description": "An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { "from": "body", - "value": "X_wrong_value", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client id of the Introspection Request", - "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { "from": "body", - "value": "https://www.example.com/", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the parameters of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { "from": "body", - "value": "X_wrong_value", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA SA", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA SA", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA SA", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA SA", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "How does the OP behave when receiving an introspection request with a wrong token", - "description": "An introspection request with a token not valid is sent and the introspection response analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { "from": "body", - "value": "X_not_valid_tkn", - "edit regex": "(?<=token=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of token in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=token=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept revocation request without the client assertion", - "description": "In order to verify if the OP checks the presence of the client_assertion parameter in a revocation request, such a request is sent without the client_assertion and the OP's response is analyzed", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept Revocation Requests without the client assertion type", - "description": "To test if an OP verifies the presence of the client assertion type in the Revocation request, a request withiout client assertion type is sent and the response is analyzed.", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept Revocation Requests without the client id", - "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.", - "type": "active", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is present": "true" + } + ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration TA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check": "invalid_client" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is": "X_url_TA" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client assertion type of the Revocation Request", - "description": "To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.", - "type": "active", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ - { - "from": "body", - "value": "urn-ietf", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Entity Configuration response TA", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client id of the Revocation Request", - "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", - "type": "active", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ - { - "from": "body", - "value": "https://www.example.com/", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Entity Configuration response TA", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the client_assertion parameter return a Token Error response", - "description": "This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Configuration response TA", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, { "in": "body", - "check": "invalid_client" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the client_assertion_type parameter return a Token Error response", - "description": "This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Listing response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP require the client_id in the token request", - "description": "This test consists in sending a token request without the client_id parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Statement response TA OP", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, { "in": "body", - "check": "invalid_client" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the code parameter return a Token Error response", - "description": "This test consists in sending a token request without the code parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=code=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Statement response TA RP", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_grant" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the code_verifier parameter return a Token Error response", - "description": "This test consists in sending a token request without the code_verifier parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=code_verifier=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { "in": "body", - "check": "invalid_grant" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the grant_type parameter return a Token Error response", - "description": "This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=grant_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Fetch Entity Statement response TA RP", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect client_assertion_type parameter return a Token Error response", - "description": "This test consists in sending a token request with a wrong client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "urn-aert", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Public Keys History response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response", - "description": "This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "X_wrong_code", - "edit regex": "(?<=code=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Resolve Entity Statement response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_grant" + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response", - "description": "This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { "from": "body", - "value": "X_wrong_code", - "edit regex": "(?<=code_verifier=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP checks that the token request contains the grant_type parameter set correctly", - "description": "In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response", - "type": "active", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { "from": "body", - "value": "example", - "edit regex": "(?<=grant_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "unsupported_grant_type" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP check the client_id in the request", - "description": "In this test the client_id parameter in the URL of the token request is removed and the response analyzed", - "type": "active", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "How does the OP behave when the token in the userinfo request is missing", - "description": "A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed", - "type": "active", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "UserInfo request", - "edit operations": [ - { - "from": "head", - "value": "", - "edit": "Authorization" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "UserInfo response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "head", - "check": "Content-Type", - "is": "application/json" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -23145,20 +22631,27 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check": "token_type", - "is": "Bearer" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -23168,20 +22661,27 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] } ] } @@ -23191,20 +22691,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -23214,20 +22721,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.constraints", + "is present": "true" + } + ] } ] } @@ -23237,20 +22751,27 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -23260,20 +22781,27 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_mark_issuers", + "is present": "true" + } + ] } ] } @@ -23283,20 +22811,27 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.constraints", + "is present": "true" + } + ] } ] } @@ -23306,32 +22841,55 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" - ] + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -23343,29 +22901,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -23377,25 +22931,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.metadata_policy", "is present": "true" } ] @@ -23408,25 +22961,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.cty", + "in": "payload", + "check": "$.iss", "is present": "true" } ] @@ -23439,25 +22991,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", + "in": "payload", + "check": "$.sub", "is present": "true" } ] @@ -23470,25 +23021,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.trust_marks", "is present": "true" } ] @@ -23501,29 +23051,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$.constraints", + "is present": "true" } ] } @@ -23535,27 +23081,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -23567,28 +23111,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -23600,28 +23141,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -23633,28 +23171,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -23666,28 +23201,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -23699,27 +23231,25 @@ }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] + "check": "$.trust_marks", + "is present": "true" } ] } @@ -23731,28 +23261,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -23764,27 +23291,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", - "is in": [ - "private_key_jwt" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -23796,27 +23321,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } ] } ] @@ -23829,27 +23358,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } ] } ] @@ -23862,26 +23395,31 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported[0]", - "is in": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } ] } ] @@ -23894,27 +23432,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } ] } ] @@ -23927,26 +23469,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } ] } ] @@ -23959,26 +23506,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } ] } ] @@ -23991,29 +23543,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } ] } ] @@ -24026,26 +23580,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } ] } ] @@ -24058,27 +23617,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } ] } ] @@ -24091,27 +23654,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } ] } ] @@ -24124,27 +23691,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } ] } ] @@ -24157,28 +23728,31 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } ] } ] @@ -24191,26 +23765,31 @@ }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } ] } ] @@ -24223,29 +23802,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } ] } ] @@ -24258,29 +23839,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } ] } ] @@ -24293,29 +23876,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } ] } ] @@ -24328,29 +23913,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } ] } ] @@ -24363,26 +23950,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } ] } ] @@ -24395,29 +23987,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } ] } ] @@ -24430,26 +24024,32 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.cty", - "is": "JWT" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -24461,30 +24061,31 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } ] } ] @@ -24497,25 +24098,32 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -24527,25 +24135,32 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -24557,25 +24172,32 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -24587,25 +24209,32 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -24617,25 +24246,32 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -24647,25 +24283,32 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -24677,25 +24320,32 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -24707,25 +24357,32 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -24737,25 +24394,32 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -24767,25 +24431,32 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -24797,25 +24468,32 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -24827,25 +24505,32 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -24857,27 +24542,21 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -24887,27 +24566,21 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", - "is present": "true" - } - ] + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_TA" } ] } @@ -24917,27 +24590,21 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -24947,87 +24614,105 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -25037,25 +24722,60 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", - "is present": "true" + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "iss", + "contains": "valid_iss" + } + ] } ] } @@ -25067,25 +24787,60 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", - "type": "passive", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "iss", + "contains": "valid_iss" + } + ] } ] } @@ -25097,25 +24852,32 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -25127,25 +24889,32 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.claims_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -25156,26 +24925,33 @@ } }, { - "test": { - "name": "Does the OP metadata contain the claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "test": { + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -25187,25 +24963,32 @@ }, { "test": { - "name": "Does the OP metadata contain the request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -25217,25 +25000,32 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } + ] } ] } @@ -25247,25 +25037,32 @@ }, { "test": { - "name": "Does the OP metadata contain the client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -25277,25 +25074,32 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -25307,25 +25111,32 @@ }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -25337,25 +25148,32 @@ }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -25367,25 +25185,32 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -25397,25 +25222,32 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -25427,25 +25259,32 @@ }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -25457,25 +25296,32 @@ }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -25487,25 +25333,32 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -25517,25 +25370,32 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -25547,25 +25407,32 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -25577,25 +25444,32 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -25607,25 +25481,32 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -25637,20 +25518,34 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "code" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] + } + ] } ] } @@ -25660,20 +25555,34 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "state" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] + } + ] } ] } @@ -25683,20 +25592,34 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] + } + ] } ] } @@ -25706,20 +25629,34 @@ }, { "test": { - "name": "Does the token response have Cache-Control set to 'no-store'", - "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Cache-Control", - "contains": "no-store" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] + } + ] } ] } @@ -25729,53 +25666,69 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", - "type": "active", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "saved_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -25787,27 +25740,31 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -25820,29 +25777,31 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -25855,29 +25814,31 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -25890,21 +25851,34 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_OP" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] + } + ] } ] } @@ -25914,21 +25888,34 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] + } + ] } ] } @@ -25938,21 +25925,34 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] + } + ] } ] } @@ -25962,8 +25962,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -25979,8 +25979,13 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -25992,8 +25997,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -26009,8 +26014,13 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -26022,8 +26032,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -26034,13 +26044,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" } ] } @@ -26052,8 +26062,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -26064,13 +26074,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" } ] } @@ -26082,8 +26092,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" @@ -26099,8 +26109,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -26112,8 +26122,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -26129,8 +26139,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -26142,8 +26152,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -26159,8 +26169,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -26172,8 +26182,8 @@ }, { "test": { - "name": "Does the AA metadata contain op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -26184,13 +26194,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata.openid_provider.op_policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -26202,8 +26212,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -26211,12 +26221,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] } ] } @@ -26226,8 +26242,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -26238,13 +26254,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -26256,8 +26272,8 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -26265,11 +26281,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + } + ] } ] } @@ -26279,8 +26302,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -26288,11 +26311,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + } + ] } ] } @@ -26302,8 +26332,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -26319,8 +26349,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -26332,8 +26362,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26344,13 +26374,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "is present": "true" } ] } @@ -26362,8 +26392,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26374,13 +26404,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -26392,8 +26422,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26404,13 +26434,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "is present": "true" } ] } @@ -26422,8 +26452,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26434,13 +26464,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -26452,8 +26482,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26464,13 +26494,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -26482,8 +26512,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26494,13 +26524,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "is present": "true" } ] } @@ -26512,8 +26542,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26524,13 +26554,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -26542,8 +26572,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26554,13 +26584,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + "check": "$.metadata.oauth_authorization_server.issuer", + "is present": "true" } ] } @@ -26572,8 +26602,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26584,13 +26614,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + "check": "$.metadata.oauth_authorization_server.jwks", + "is present": "true" } ] } @@ -26602,8 +26632,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26614,13 +26644,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -26632,8 +26662,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26641,11 +26671,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "is present": "true" + } + ] } ] } @@ -26655,20 +26692,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "is present": "true" + } + ] } ] } @@ -26678,8 +26722,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26695,11 +26739,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -26711,8 +26752,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26728,10 +26769,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -26743,8 +26782,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26760,11 +26799,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata.oauth_resource.resource", + "is present": "true" } ] } @@ -26776,8 +26812,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26788,18 +26824,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.oauth_authorization_server.response_types_supported", + "is present": "true" } ] } @@ -26811,8 +26842,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26823,18 +26854,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.oauth_authorization_server.scopes_supported", + "is present": "true" } ] } @@ -26846,8 +26872,8 @@ }, { "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26863,7 +26889,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "check": "$.metadata.oauth_authorization_server.token_endpoint", "is present": "true" } ] @@ -26876,8 +26902,8 @@ }, { "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26893,7 +26919,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -26906,8 +26932,8 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26923,7 +26949,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -26936,8 +26962,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration AA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -26948,13 +26974,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -26966,8 +26992,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -26975,18 +27001,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -26996,8 +27015,8 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -27005,18 +27024,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -27026,8 +27038,8 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -27035,18 +27047,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -27056,27 +27061,20 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -27086,8 +27084,8 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -27098,12 +27096,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", + "check": "$.trust_marks", "is present": "true" } ] @@ -27116,8 +27114,8 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27128,12 +27126,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.exp", "is present": "true" } ] @@ -27146,8 +27144,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27158,12 +27156,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "check": "$.iat", "is present": "true" } ] @@ -27176,8 +27174,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27188,12 +27186,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "check": "$.iss", "is present": "true" } ] @@ -27206,8 +27204,8 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27218,12 +27216,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.jwks", "is present": "true" } ] @@ -27236,8 +27234,8 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27248,12 +27246,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata", "is present": "true" } ] @@ -27266,8 +27264,8 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27278,12 +27276,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_resource.resource", + "check": "$.sub", "is present": "true" } ] @@ -27296,8 +27294,8 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" @@ -27308,12 +27306,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", + "check": "$..metadata.openid_provider.op_policy_uri", "is present": "true" } ] @@ -27326,8 +27324,8 @@ }, { "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -27338,15 +27336,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_AA" } ] } @@ -27356,8 +27348,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -27373,8 +27365,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -27387,7 +27382,7 @@ { "test": { "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -27403,8 +27398,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -27416,8 +27413,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -27433,8 +27430,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -27446,8 +27446,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -27455,12 +27455,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_AA" + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json index c2960c0..a7900ac 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", + "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", "type": "active", "sessions": [ "s1" @@ -30,9 +30,12 @@ "type": "jwt", "edits": [ { - "jwt from": "header", - "jwt edit": "alg", - "value": "none" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -60,908 +63,1520 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the client_id parameter", + "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", + "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the nonce parameter", + "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the scope parameter", + "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the state parameter", + "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.state", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", + "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.authority_hints", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", + "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", + "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", + "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.typ", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", + "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.aud", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.client_id", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", + "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", + "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "unsupported_response_type" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", + "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token response", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jti", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_scope" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.scope", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.state", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token response", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the acr_values parameter", + "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the aud parameter", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the claims parameter", + "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.acr", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the exp parameter", + "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.at_hash", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iat parameter", + "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.aud", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iss parameter", + "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the prompt parameter", + "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", + "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the response_type parameter", + "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.jti", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token response", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.nonce", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse an RP without trusted Trust Marks", + "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.trust_marks", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", + "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", + "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", "type": "active", "sessions": [ "s1" @@ -976,11 +1591,21 @@ "from session": "s1", "then": "forward", "message type": "Authentication request", - "message operations": [ + "decode operations": [ { "from": "url", - "save": "client_id", - "as": "auth_client_id" + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] }, @@ -988,31 +1613,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", - "decode operations": [ + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "client_id", - "is": "auth_client_id", - "use variable": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", + "name": "Does the OP correctly validate the trust chain of an RP authentication request", + "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", "type": "active", "sessions": [ "s1" @@ -1026,537 +1646,500 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", - "message operations": [ - { - "from": "url", - "save": "scope", - "as": "auth_scope" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "scope", - "is": "auth_scope", - "use variable": "true" + "jwt from": "payload", + "jwt edit": "$.authority_hints", + "value": "https://www.wrongsite.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", "checks": [ { "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "UserInfo response", - "checks": [ + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, { "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Introspection Endpoint Response have the active parameter", - "description": "To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ - { - "message type": "Introspection response", - "checks": [ - { - "in": "body", - "is present": true, - "check regex": "active" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Introspection Endpoint returns true on active tokens", - "description": "To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ - { - "message type": "Introspection response", - "checks": [ - { - "in": "body", - "is present": true, - "check regex": "\"active\": true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Revocation request", - "checks": [ - { - "in": "url", - "is present": true, - "check": "POST" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", - "type": "passive", + "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", + "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ - { - "in": "body", - "is present": true, - "check regex": "access_token" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + "session": "s1", + "action": "start" + }, { - "message type": "Token response", - "checks": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { - "in": "body", - "is present": true, - "check regex": "expires_in" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token response", - "checks": [ + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, { - "in": "body", - "is present": true, - "check regex": "id_token" + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", - "type": "passive", + "name": "Does the OP refuse Authentication Request with a wrong redirect URI", + "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "UserInfo response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported.value", - "is": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported.value", - "is": "true" + "jwt from": "payload", + "jwt edit": "$.aud[0]", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", - "is": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", - "type": "passive", + "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_OP" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", - "type": "passive", + "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Revocation response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", - "type": "passive", + "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token response", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", + "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -1567,20 +2150,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Introspection request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" + "jwt edit": "$.exp", + "value": "example" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -1590,11 +2173,11 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "head", @@ -1608,11 +2191,11 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the client_id parameter", - "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -1623,20 +2206,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Introspection request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "" + "jwt edit": "$.iat", + "value": "example" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -1646,11 +2229,11 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "head", @@ -1664,11 +2247,11 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -1679,20 +2262,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Introspection request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "" + "jwt edit": "$.sub", + "value": "example" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -1702,11 +2285,11 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "head", @@ -1720,8 +2303,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", - "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", + "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -1735,20 +2318,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.code_challenge_method", + "jwt edit": "$.aud", "value": "" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -1758,14 +2341,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -1776,8 +2359,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the nonce parameter", - "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", + "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -1791,20 +2374,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "" + "jwt edit": "$.aud", + "value": "abc" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -1814,14 +2397,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -1832,8 +2415,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter", - "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", + "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -1847,20 +2430,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.scope", + "jwt edit": "$.exp", "value": "" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -1870,14 +2453,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -1888,8 +2471,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the state parameter", - "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", + "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -1903,20 +2486,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.state", - "value": "" + "jwt edit": "$.exp", + "value": "abc" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -1926,14 +2509,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -1944,8 +2527,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", - "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", + "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -1959,20 +2542,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "example" + "jwt edit": "$.iat", + "value": "" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -1982,14 +2565,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -2000,8 +2583,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", - "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", + "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -2015,20 +2598,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.claims", - "value": "example" + "jwt edit": "$.iat", + "value": "abc" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2038,14 +2621,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -2056,8 +2639,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", - "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", + "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -2071,20 +2654,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "example" + "jwt edit": "$.iss", + "value": "" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2094,14 +2677,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -2112,8 +2695,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", + "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -2127,20 +2710,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "example" + "jwt edit": "$.iss", + "value": "abc" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2150,14 +2733,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -2168,8 +2751,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", - "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", + "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -2183,20 +2766,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681723540" + "jwt edit": "$.jti", + "value": "" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2206,14 +2789,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -2224,8 +2807,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", - "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", + "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -2239,20 +2822,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681723540" + "jwt edit": "$.sub", + "value": "" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2262,14 +2845,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -2280,8 +2863,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -2295,20 +2878,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "19az" + "jwt edit": "$.sub", + "value": "abc" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2318,14 +2901,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -2336,8 +2919,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", - "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", + "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", "type": "active", "sessions": [ "s1" @@ -2351,20 +2934,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "example" + "jwt edit": "$.sub", + "value": "" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2374,14 +2957,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -2392,8 +2975,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", - "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", "type": "active", "sessions": [ "s1" @@ -2407,20 +2990,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "example" + "jwt edit": "$.aud", + "value": "https://www.example.com" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2430,15 +3013,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", - "check": "unsupported_response_type" + "in": "body", + "check": "invalid_request" } ] } @@ -2448,8 +3031,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", - "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", "type": "active", "sessions": [ "s1" @@ -2463,20 +3046,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.scope", - "value": "example" + "jwt edit": "$.exp", + "value": "1681716340" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2486,15 +3069,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, - { - "in": "head", - "check": "invalid_scope" + { + "in": "body", + "check": "invalid_request" } ] } @@ -2504,8 +3087,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", "type": "active", "sessions": [ "s1" @@ -2519,20 +3102,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.state", - "value": "19az" + "jwt edit": "$.iat", + "value": "1681716340" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2542,14 +3125,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -2560,8 +3143,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the acr_values parameter", - "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", "type": "active", "sessions": [ "s1" @@ -2575,20 +3158,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "" + "jwt edit": "$.sub", + "value": "https://www.example.com" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2598,14 +3181,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -2616,8 +3199,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the aud parameter", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", + "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", "type": "active", "sessions": [ "s1" @@ -2631,20 +3214,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.aud", + "jwt edit": "$.iss", "value": "" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2654,14 +3237,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -2672,8 +3255,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the claims parameter", - "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", "type": "active", "sessions": [ "s1" @@ -2687,20 +3270,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.claims", - "value": "" + "jwt edit": "$.iss", + "value": "https://www.example.com/" }, { - "jwt sign": "X_key_RP" + "jwt sign": "X_key_core_RP" } ] } @@ -2710,14 +3293,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -2728,2168 +3311,1480 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the exp parameter", - "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iat parameter", - "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iss parameter", - "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the prompt parameter", - "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", - "type": "active", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", - "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the response_type parameter", - "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "header", + "check": "$.alg", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse an RP without trusted Trust Marks", - "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", - "type": "active", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.trust_marks", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", - "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", - "type": "active", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly validate the trust chain of an RP authentication request", - "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", - "type": "active", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.authority_hints", - "value": "https://www.wrongsite.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_client" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", - "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", - "type": "active", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Request with a wrong redirect URI", - "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", - "type": "active", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", - "type": "active", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\n\\r]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", - "type": "active", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\n\\r]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud[0]", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", - "type": "active", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", - "type": "active", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", - "type": "active", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", - "type": "active", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", - "type": "active", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", - "type": "active", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.jwks", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.authorization_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", - "type": "active", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", - "type": "active", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "https://www.example.com" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", - "type": "active", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681716340" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", - "type": "active", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681716340" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.introspection_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", - "type": "active", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "https://www.example.com" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", - "type": "active", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", - "type": "active", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", - "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", - "type": "active", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "message operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "edit": "(?<=token=)([^&]+)", - "in": "123.123.123" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "is present": "true" + } + ] } ] } @@ -4899,50 +4794,29 @@ }, { "test": { - "name": "Does the OP refuse wrongly signed Authentication Requests", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", - "type": "active", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "unauthorized_client" - } - ] } ], "result": "correct flow s1" @@ -4950,50 +4824,29 @@ }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", - "type": "active", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -5001,48 +4854,27 @@ }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", - "type": "active", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "in": "payload", + "check": "$.metadata.openid_provider.claims_supported", + "is present": "true" + } + ] } ] } @@ -5052,50 +4884,29 @@ }, { "test": { - "name": "Does the token response to a token request made with a wrong signature return a Token Error response", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", - "type": "active", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -5103,50 +4914,29 @@ }, { "test": { - "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", - "type": "active", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -5154,33 +4944,38 @@ }, { "test": { - "name": "Does the OP issue refresh tokens even when it is not supposed to", - "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "refresh_token", - "is present": false + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" + } + ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5191,13 +4986,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.client_registration_types_supported", + "is present": "true" } ] } @@ -5209,8 +5004,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5221,13 +5016,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } @@ -5239,8 +5034,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5251,13 +5046,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.openid_provider.response_modes_supported", + "is present": "true" } ] } @@ -5269,8 +5064,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5281,13 +5076,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.openid_provider.response_types_supported", + "is present": "true" } ] } @@ -5299,8 +5094,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -5311,13 +5106,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "check": "$.metadata.openid_provider.revocation_endpoint", + "is present": "true" } ] } @@ -5329,8 +5124,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5341,13 +5136,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -5359,8 +5154,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5371,13 +5166,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_provider.scopes_supported", + "is present": "true" } ] } @@ -5389,8 +5184,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5401,13 +5196,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + "check": "$.metadata.openid_provider.subject_types_supported", + "is present": "true" } ] } @@ -5419,8 +5214,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -5431,13 +5226,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_provider.token_endpoint", + "is present": "true" } ] } @@ -5449,25 +5244,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "is present": "true" } ] } @@ -5479,25 +5274,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", + "is present": "true" } ] } @@ -5509,25 +5304,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.userinfo_endpoint", + "is present": "true" } ] } @@ -5539,25 +5334,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "is present": "true" } ] } @@ -5569,25 +5364,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" } ] } @@ -5599,25 +5394,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } @@ -5629,25 +5424,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" } ] } @@ -5659,25 +5454,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + "check": "$.sub", + "is": "X_url_OP" } ] } @@ -5689,8 +5484,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", "type": "passive", "sessions": [ "s1" @@ -5698,18 +5493,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "check": "Content-Type", + "is": "application/json" } ] } @@ -5719,8 +5507,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", "type": "passive", "sessions": [ "s1" @@ -5728,18 +5516,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "body", + "check": "token_type", + "is": "Bearer" } ] } @@ -7129,8 +6910,77 @@ }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" @@ -7141,8 +6991,8 @@ "checks": [ { "in": "head", - "check": "Content-Type", - "is": "application/json" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -7152,8 +7002,8 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" @@ -7163,9 +7013,9 @@ "message type": "Token response", "checks": [ { - "in": "body", - "check": "token_type", - "is": "Bearer" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -7302,8 +7152,100 @@ "checks": [ { "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Endpoint Response have the active parameter", + "description": "To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection response", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "active" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Endpoint returns true on active tokens", + "description": "To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection response", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "\"active\": true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Revocation request", + "checks": [ + { + "in": "url", + "is present": true, + "check": "POST" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -7313,34 +7255,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -7350,31 +7278,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -7384,28 +7301,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -7415,28 +7324,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.cty", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -7446,8 +7347,8 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" @@ -7455,19 +7356,11 @@ "operations": [ { "message type": "UserInfo response", - "decode operations": [ + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.enc", - "is present": "true" - } - ] + "in": "head", + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -7477,60 +7370,53 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$.iss", + "contains": "saved_iss" } ] } @@ -7542,40 +7428,33 @@ }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "name": "Does the OP issue refresh tokens even when it is not supposed to", + "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] - } - ] + "in": "body", + "check": "refresh_token", + "is present": false } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7586,16 +7465,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -7607,8 +7483,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7619,16 +7495,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -7640,8 +7513,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7652,16 +7525,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -7673,8 +7543,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7685,16 +7555,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -7706,8 +7573,8 @@ }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7718,15 +7585,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] + "check": "$.metadata", + "is present": "true" } ] } @@ -7738,8 +7603,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7750,16 +7615,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -7771,8 +7633,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7783,15 +7645,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", - "is in": [ - "private_key_jwt" - ] + "check": "$.authority_hints", + "is present": "true" } ] } @@ -7803,8 +7663,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -7815,16 +7675,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.trust_marks", + "is present": "true" } ] } @@ -7836,28 +7693,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -7869,27 +7723,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported[0]", - "is in": [ - "automatic" - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -7901,28 +7753,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" - ] + "in": "header", + "check": "$.typ", + "is present": "true" } ] } @@ -7934,27 +7783,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] + "check": "$.aud", + "is present": "true" } ] } @@ -7966,27 +7813,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] + "check": "$.client_id", + "is present": "true" } ] } @@ -7998,30 +7843,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -8033,27 +7873,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -8065,28 +7903,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -8098,28 +7933,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.jti", + "is present": "true" } ] } @@ -8131,28 +7963,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.scope", + "is present": "true" } ] } @@ -8164,8 +7993,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -8176,17 +8005,13 @@ "decode operations": [ { "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -8198,27 +8023,25 @@ }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -8230,30 +8053,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -8265,30 +8083,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.acr", + "is present": "true" } ] } @@ -8300,30 +8113,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.at_hash", + "is present": "true" } ] } @@ -8335,30 +8143,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.aud", + "is present": "true" } ] } @@ -8370,27 +8173,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -8402,30 +8203,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -8437,26 +8233,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Token response", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.cty", - "is": "JWT" + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -8468,31 +8263,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Token response", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.jti", + "is present": "true" } ] } @@ -8504,24 +8293,24 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", + "check": "$.nonce", "is present": "true" } ] @@ -8534,24 +8323,24 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.jwks", + "check": "$.sub", "is present": "true" } ] @@ -8564,27 +8353,20 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -8594,27 +8376,20 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -8624,27 +8399,20 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -8654,27 +8422,20 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the token response have Cache-Control set to 'no-store'", + "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", - "is present": "true" - } - ] + "in": "head", + "check param": "Cache-Control", + "contains": "no-store" } ] } @@ -8684,25 +8445,46 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "message operations": [ + { + "from": "url", + "save": "client_id", + "as": "auth_client_id" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "client_id", + "is": "auth_client_id", + "use variable": "true" } ] } @@ -8714,25 +8496,46 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "message operations": [ + { + "from": "url", + "save": "scope", + "as": "auth_scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "scope", + "is": "auth_scope", + "use variable": "true" } ] } @@ -8744,8 +8547,8 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -8756,15 +8559,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_OP" } ] } @@ -8774,27 +8571,21 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -8804,27 +8595,21 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -8834,27 +8619,40 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", + "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "message operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", - "is present": "true" - } - ] + "edit": "(?<=token=)([^&]+)", + "in": "123.123.123" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -8864,8 +8662,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", "type": "passive", "sessions": [ "s1" @@ -8881,8 +8679,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -8894,8 +8696,8 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", "type": "passive", "sessions": [ "s1" @@ -8911,8 +8713,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] } ] } @@ -8924,8 +8728,8 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", "type": "passive", "sessions": [ "s1" @@ -8941,8 +8745,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -8954,8 +8761,8 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -8971,8 +8778,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -8984,8 +8794,8 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -9001,8 +8811,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -9014,8 +8827,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -9031,8 +8844,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -9044,8 +8860,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" @@ -9061,8 +8877,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } @@ -9074,8 +8892,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -9091,8 +8909,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -9104,8 +8925,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -9121,8 +8942,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] } ] } @@ -9134,8 +8957,8 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -9151,8 +8974,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_supported", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -9164,8 +8990,8 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -9181,8 +9007,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -9194,8 +9023,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -9211,8 +9040,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported", - "is present": "true" + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" + ] } ] } @@ -9224,8 +9055,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" @@ -9241,8 +9072,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" + ] } ] } @@ -9254,8 +9088,8 @@ }, { "test": { - "name": "Does the OP metadata contain the client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" @@ -9271,8 +9105,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported", - "is present": "true" + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" + ] } ] } @@ -9284,8 +9120,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" @@ -9301,8 +9137,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "is present": "true" + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" + ] } ] } @@ -9314,8 +9152,8 @@ }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" @@ -9331,8 +9169,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", - "is present": "true" + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -9344,8 +9187,8 @@ }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" @@ -9361,8 +9204,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", - "is present": "true" + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" + ] } ] } @@ -9374,8 +9219,8 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -9391,8 +9236,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -9404,8 +9252,8 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -9421,8 +9269,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -9434,8 +9285,8 @@ }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -9451,8 +9302,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -9464,25 +9318,29 @@ }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", - "is present": "true" + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -9494,8 +9352,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -9503,18 +9361,12 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -9524,27 +9376,21 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } @@ -9554,25 +9400,31 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", - "is present": "true" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -9584,25 +9436,26 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", - "is present": "true" + "in": "header", + "check": "$.cty", + "is": "JWT" } ] } @@ -9614,50 +9467,101 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "is present": "true" + "jwt from": "header", + "jwt edit": "alg", + "value": "none" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", - "type": "passive", + "name": "Does the OP refuse wrongly signed Authentication Requests", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check param": "Location", - "contains": "code" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "unauthorized_client" } ] } @@ -9667,20 +9571,48 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", - "type": "passive", + "name": "Does the OP verify the signature of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ { "in": "head", - "check param": "Location", - "contains": "state" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } @@ -9690,20 +9622,48 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", - "type": "passive", + "name": "Does the OP verify the signature of the client assertion in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ { "in": "head", - "check param": "Location", - "contains": "iss" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } @@ -9713,20 +9673,48 @@ }, { "test": { - "name": "Does the token response have Cache-Control set to 'no-store'", - "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", - "type": "passive", + "name": "Does the token response to a token request made with a wrong signature return a Token Error response", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Token response", "checks": [ { "in": "head", - "check param": "Cache-Control", - "contains": "no-store" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } @@ -9736,8 +9724,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", + "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -9751,17 +9739,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" + "jwt sign": "X_wrong_key" } ] } @@ -9772,19 +9758,14 @@ "from session": "s1", "then": "forward", "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "saved_iss" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } @@ -9794,28 +9775,26 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "header", "check": "$.alg", - "is in": [ - "RS256", - "RS512" - ] + "is present": "true" } ] } @@ -9827,30 +9806,26 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.cty", + "is present": "true" } ] } @@ -9862,30 +9837,26 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.enc", + "is present": "true" } ] } @@ -9897,21 +9868,28 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_OP" + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -9921,8 +9899,8 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -9935,7 +9913,18 @@ "from": "body", "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -9945,8 +9934,8 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -9959,7 +9948,18 @@ "from": "body", "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json index 53d10cd..b007c90 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -24,8 +24,10 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -37,8 +39,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -54,8 +56,13 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -67,8 +74,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -84,8 +91,13 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -97,8 +109,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -114,8 +126,13 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -127,8 +144,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -144,8 +161,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -157,8 +179,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -174,8 +196,10 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -187,8 +211,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -204,8 +228,13 @@ "checks": [ { "in": "payload", - "check": "$.authority_hints", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -217,25 +246,32 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] } ] } @@ -247,25 +283,29 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "header", - "check": "$.alg", - "is present": "true" + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -277,8 +317,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -294,8 +334,11 @@ "checks": [ { "in": "header", - "check": "$.kid", - "is present": "true" + "check": "$.alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -307,25 +350,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.typ", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -337,25 +380,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -367,25 +410,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -397,25 +440,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -427,25 +470,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" } ] } @@ -457,25 +500,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" } ] } @@ -487,25 +530,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -517,25 +560,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } @@ -547,25 +590,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -577,8 +620,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" @@ -589,13 +632,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -607,9 +650,9 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", - "type": "passive", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "type": "passive", "sessions": [ "s1" ], @@ -619,13 +662,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -637,8 +680,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" @@ -649,13 +692,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -667,8 +710,8 @@ }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" @@ -679,13 +722,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.at_hash", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -697,8 +740,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -709,13 +752,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -727,8 +770,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" @@ -739,13 +782,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -757,8 +800,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" @@ -774,8 +817,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } @@ -787,8 +830,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", "type": "passive", "sessions": [ "s1" @@ -804,8 +847,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } @@ -817,8 +860,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -829,13 +872,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -847,8 +890,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -859,13 +902,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -877,24 +920,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.openid_provider.issuer", "is present": "true" } ] @@ -907,8 +950,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", "type": "passive", "sessions": [ "s1" @@ -916,12 +959,18 @@ "operations": [ { "message type": "Entity Configuration response OP", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.jwks", + "is present": "true" + } + ] } ] } @@ -931,21 +980,27 @@ }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" + } + ] } ] } @@ -955,20 +1010,27 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported", + "is present": "true" + } + ] } ] } @@ -978,20 +1040,27 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_endpoint", + "is present": "true" + } + ] } ] } @@ -1001,20 +1070,27 @@ }, { "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "is present": "true" + } + ] } ] } @@ -1024,20 +1100,27 @@ }, { "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "expires_in" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" + } + ] } ] } @@ -1047,20 +1130,27 @@ }, { "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "id_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" + } + ] } ] } @@ -1070,21 +1160,28 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" - } + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported", + "is present": "true" + } + ] + } ] } ], @@ -1093,20 +1190,27 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" + } + ] } ] } @@ -1116,8 +1220,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1128,13 +1232,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "is present": "true" } ] } @@ -1146,8 +1250,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1158,13 +1262,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "is present": "true" } ] } @@ -1176,8 +1280,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1188,13 +1292,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "is present": "true" } ] } @@ -1206,8 +1310,8 @@ }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -1218,13 +1322,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_OP" + "check": "$.metadata.openid_provider.introspection_endpoint", + "is present": "true" } ] } @@ -1236,8 +1340,8 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1245,11 +1349,18 @@ "operations": [ { "message type": "Entity Configuration response OP", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" + } + ] } ] } @@ -1259,8 +1370,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1268,11 +1379,18 @@ "operations": [ { "message type": "Entity Configuration response OP", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" + } + ] } ] } @@ -1282,20 +1400,27 @@ }, { "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" + } + ] } ] } @@ -1305,20 +1430,27 @@ }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -1328,20 +1460,27 @@ }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "is present": "true" + } + ] } ] } @@ -1351,8 +1490,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1363,13 +1502,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } @@ -1381,8 +1520,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1393,13 +1532,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "is present": "true" } ] } @@ -1411,8 +1550,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1423,13 +1562,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.openid_provider.claims_supported", + "is present": "true" } ] } @@ -1441,8 +1580,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1453,13 +1592,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.openid_provider.claims_parameter_supported", + "is present": "true" } ] } @@ -1471,8 +1610,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1483,13 +1622,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "check": "$.metadata.openid_provider.request_parameter_supported", + "is present": "true" } ] } @@ -1501,8 +1640,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1513,13 +1652,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } @@ -1531,8 +1670,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1543,13 +1682,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_provider.client_registration_types_supported", + "is present": "true" } ] } @@ -1561,7 +1700,7 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ @@ -1573,13 +1712,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + "is present": "true" } ] } @@ -1591,8 +1730,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1603,13 +1742,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_provider.response_modes_supported", + "is present": "true" } ] } @@ -1621,25 +1760,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + "check": "$.metadata.openid_provider.response_types_supported", + "is present": "true" } ] } @@ -1651,25 +1790,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + "check": "$.metadata.openid_provider.revocation_endpoint", + "is present": "true" } ] } @@ -1681,25 +1820,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -1711,25 +1850,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.scopes_supported", + "is present": "true" } ] } @@ -1741,25 +1880,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "check": "$.metadata.openid_provider.subject_types_supported", + "is present": "true" } ] } @@ -1771,25 +1910,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.metadata.openid_provider.token_endpoint", + "is present": "true" } ] } @@ -1801,25 +1940,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "is present": "true" } ] } @@ -1831,25 +1970,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", + "is present": "true" } ] } @@ -1861,25 +2000,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.userinfo_endpoint", + "is present": "true" } ] } @@ -1891,25 +2030,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "is present": "true" } ] } @@ -1921,20 +2060,27 @@ }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check": "Content-Type", - "is": "application/json" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" + } + ] } ] } @@ -1944,20 +2090,27 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "token_type", - "is": "Bearer" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" + } + ] } ] } @@ -1967,20 +2120,27 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" + } + ] } ] } @@ -1990,8 +2150,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -1999,11 +2159,18 @@ "operations": [ { "message type": "Entity Configuration response OP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is": "X_url_OP" + } + ] } ] } @@ -2013,20 +2180,20 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", + "message type": "Token response", "checks": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "in": "head", + "check": "Content-Type", + "is": "application/json" } ] } @@ -2036,8 +2203,8 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", "type": "passive", "sessions": [ "s1" @@ -2048,8 +2215,8 @@ "checks": [ { "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "check": "token_type", + "is": "Bearer" } ] } @@ -2059,19 +2226,19 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "checks": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", "is present": "true" } ] @@ -2082,19 +2249,19 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "checks": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", "is present": "true" } ] @@ -2105,34 +2272,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Revocation response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -2142,31 +2295,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -2176,28 +2318,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -2207,28 +2341,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.cty", - "is present": "true" - } - ] + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] } @@ -2238,28 +2364,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.enc", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2269,28 +2387,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.kid", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2300,31 +2410,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] - } - ] + "in": "body", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -2334,29 +2433,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] - } - ] + "in": "body", + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -2366,30 +2456,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] - } - ] + "in": "body", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } @@ -2399,30 +2479,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -2432,30 +2502,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -2465,30 +2525,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -2498,29 +2548,20 @@ }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -2530,30 +2571,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -2563,29 +2594,20 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -2595,30 +2617,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "head", + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -2628,8 +2640,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2640,16 +2652,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -2661,8 +2670,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2673,15 +2682,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported[0]", - "is in": [ - "automatic" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -2693,8 +2700,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2705,16 +2712,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -2726,8 +2730,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2738,15 +2742,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -2758,8 +2760,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2770,15 +2772,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata", + "is present": "true" } ] } @@ -2790,8 +2790,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2802,18 +2802,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -2825,8 +2820,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2837,15 +2832,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] + "check": "$.authority_hints", + "is present": "true" } ] } @@ -2857,8 +2850,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2869,16 +2862,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.trust_marks", + "is present": "true" } ] } @@ -2890,28 +2880,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -2923,28 +2910,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -2956,8 +2940,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", "type": "passive", "sessions": [ "s1" @@ -2968,17 +2952,13 @@ "decode operations": [ { "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ - { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + { + "in": "header", + "check": "$.typ", + "is present": "true" } ] } @@ -2990,27 +2970,25 @@ }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.aud", + "is present": "true" } ] } @@ -3022,30 +3000,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.client_id", + "is present": "true" } ] } @@ -3057,30 +3030,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -3092,30 +3060,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -3127,30 +3090,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -3162,27 +3120,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.jti", + "is present": "true" } ] } @@ -3194,30 +3150,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.scope", + "is present": "true" } ] } @@ -3229,26 +3180,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Token response", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.cty", - "is": "JWT" + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -3260,31 +3210,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Token response", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "header", "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "is present": "true" } ] } @@ -3296,24 +3240,24 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -3326,24 +3270,24 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.jwks", + "check": "$.acr", "is present": "true" } ] @@ -3356,24 +3300,24 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", + "check": "$.at_hash", "is present": "true" } ] @@ -3386,24 +3330,24 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", + "check": "$.aud", "is present": "true" } ] @@ -3416,24 +3360,24 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", + "check": "$.exp", "is present": "true" } ] @@ -3446,24 +3390,24 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "check": "$.iat", "is present": "true" } ] @@ -3476,24 +3420,24 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.iss", "is present": "true" } ] @@ -3506,24 +3450,24 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.jti", "is present": "true" } ] @@ -3536,24 +3480,24 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", + "check": "$.nonce", "is present": "true" } ] @@ -3566,24 +3510,24 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.sub", "is present": "true" } ] @@ -3596,27 +3540,20 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -3626,27 +3563,20 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -3656,27 +3586,20 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -3686,8 +3609,8 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -3698,15 +3621,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", - "is present": "true" - } - ] + "jwt check sig": "X_key_OP" } ] } @@ -3716,27 +3633,21 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -3746,27 +3657,21 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -3776,8 +3681,8 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", "type": "passive", "sessions": [ "s1" @@ -3793,8 +3698,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -3806,8 +3715,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", "type": "passive", "sessions": [ "s1" @@ -3823,8 +3732,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] } ] } @@ -3836,8 +3747,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", "type": "passive", "sessions": [ "s1" @@ -3853,8 +3764,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -3866,8 +3780,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -3883,8 +3797,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -3896,8 +3813,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -3913,8 +3830,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -3926,8 +3846,8 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -3943,8 +3863,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_supported", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -3956,8 +3879,8 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" @@ -3973,8 +3896,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported", - "is present": "true" + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } @@ -3986,8 +3911,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -4003,8 +3928,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported", - "is present": "true" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -4016,8 +3944,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -4033,8 +3961,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] } ] } @@ -4046,8 +3976,8 @@ }, { "test": { - "name": "Does the OP metadata contain the client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -4063,8 +3993,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -4076,8 +4009,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -4093,8 +4026,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -4106,8 +4042,8 @@ }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -4123,8 +4059,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", - "is present": "true" + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" + ] } ] } @@ -4136,8 +4074,8 @@ }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" @@ -4153,8 +4091,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", - "is present": "true" + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" + ] } ] } @@ -4166,8 +4107,8 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" @@ -4183,8 +4124,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" + ] } ] } @@ -4196,8 +4139,8 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" @@ -4214,7 +4157,9 @@ { "in": "payload", "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is present": "true" + "is in": [ + "private_key_jwt" + ] } ] } @@ -4226,8 +4171,8 @@ }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" @@ -4243,8 +4188,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", - "is present": "true" + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -4256,8 +4206,8 @@ }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" @@ -4273,8 +4223,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", - "is present": "true" + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" + ] } ] } @@ -4286,8 +4238,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -4303,8 +4255,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -4316,8 +4271,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -4333,8 +4288,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -4346,8 +4304,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -4363,8 +4321,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -4376,25 +4337,29 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", - "is present": "true" + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -4406,8 +4371,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -4415,18 +4380,12 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -4436,20 +4395,21 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", + "message type": "UserInfo response", "checks": [ { "in": "head", - "check param": "Location", - "contains": "code" + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } @@ -4459,20 +4419,33 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "state" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -4482,20 +4455,28 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.cty", + "is": "JWT" + } + ] } ] } @@ -4505,28 +4486,26 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "header", "check": "$.alg", - "is in": [ - "RS256", - "RS512" - ] + "is present": "true" } ] } @@ -4538,30 +4517,26 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.cty", + "is present": "true" } ] } @@ -4573,30 +4548,26 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.enc", + "is present": "true" } ] } @@ -4608,21 +4579,28 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_OP" + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -4632,8 +4610,8 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -4646,7 +4624,18 @@ "from": "body", "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -4656,8 +4645,8 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -4670,7 +4659,18 @@ "from": "body", "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json index 4dd45a3..4fd0251 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json @@ -7,32 +7,25 @@ "tests": [ { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -44,32 +37,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -81,32 +67,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -118,32 +97,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -155,32 +127,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -192,32 +157,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -229,32 +187,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -266,32 +217,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -303,32 +247,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -340,32 +277,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -377,32 +307,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -414,32 +337,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", - "type": "passive", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -451,32 +367,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -488,32 +397,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -525,32 +427,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -562,32 +457,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -599,32 +487,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -636,32 +517,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -673,32 +547,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -710,32 +577,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -747,32 +607,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does entity configuration SA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_SA" } ] } @@ -784,36 +637,22 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] } ], "result": "correct flow s1" @@ -821,34 +660,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -858,34 +683,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -895,34 +706,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -932,34 +729,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -969,34 +752,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Statement response SA RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1006,34 +775,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1043,34 +798,20 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1080,32 +821,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1117,32 +852,26 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1154,32 +883,53 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "client_assertion", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -1191,32 +941,53 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -1236,7 +1007,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1266,7 +1037,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1296,7 +1067,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1326,7 +1097,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1356,7 +1127,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1386,7 +1157,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1408,15 +1179,15 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1425,7 +1196,7 @@ "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.trust_marks", "is present": "true" } ] @@ -1438,15 +1209,15 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1455,7 +1226,7 @@ "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.constraints", "is present": "true" } ] @@ -1468,15 +1239,15 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1485,7 +1256,7 @@ "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", + "check": "$.exp", "is present": "true" } ] @@ -1498,15 +1269,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1515,7 +1286,7 @@ "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.iat", "is present": "true" } ] @@ -1528,15 +1299,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1545,7 +1316,7 @@ "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.jwks", "is present": "true" } ] @@ -1558,15 +1329,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1575,7 +1346,7 @@ "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy", "is present": "true" } ] @@ -1588,15 +1359,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1605,7 +1376,7 @@ "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.sub", "is present": "true" } ] @@ -1618,15 +1389,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1635,7 +1406,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.iss", "is present": "true" } ] @@ -1648,15 +1419,15 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -1665,7 +1436,7 @@ "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.trust_marks", "is present": "true" } ] @@ -1678,15 +1449,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1695,7 +1466,7 @@ "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.constraints", "is present": "true" } ] @@ -1708,15 +1479,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1725,7 +1496,7 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.exp", "is present": "true" } ] @@ -1738,15 +1509,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1755,7 +1526,7 @@ "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.iat", "is present": "true" } ] @@ -1768,15 +1539,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1785,7 +1556,7 @@ "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.jwks", "is present": "true" } ] @@ -1798,15 +1569,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1815,7 +1586,7 @@ "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy", "is present": "true" } ] @@ -1828,15 +1599,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1845,7 +1616,7 @@ "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.sub", "is present": "true" } ] @@ -1858,15 +1629,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1875,7 +1646,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.iss", "is present": "true" } ] @@ -1888,15 +1659,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1905,7 +1676,7 @@ "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.trust_marks", "is present": "true" } ] @@ -1918,25 +1689,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -1948,25 +1726,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -1978,25 +1763,32 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -2008,21 +1800,34 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -2032,25 +1837,32 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -2062,20 +1874,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -2085,20 +1911,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -2108,26 +1948,32 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2139,26 +1985,32 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2170,25 +2022,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2200,25 +2059,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -2230,25 +2096,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2260,25 +2133,32 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2290,25 +2170,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2320,25 +2207,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2350,25 +2244,32 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -2380,25 +2281,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -2410,25 +2318,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -2440,25 +2355,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -2470,25 +2392,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -2500,25 +2429,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -2530,25 +2466,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -2560,25 +2503,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -2590,25 +2540,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2620,25 +2577,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2650,25 +2614,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2680,25 +2651,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -2710,25 +2688,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2740,25 +2725,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2770,25 +2762,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2800,25 +2799,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2830,25 +2836,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -2860,27 +2873,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2890,27 +2897,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2920,27 +2921,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2950,55 +2945,140 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] + } + ] + } + ] + } + ], + "result": [ + "s1" + ] + } + }, + { + "test": { + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], + "result": [ + "s1" + ] + } + }, + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], "result": "correct flow s1" } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } + ] } ] } @@ -3010,20 +3090,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] + } + ] } ] } @@ -3033,20 +3127,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] + } + ] } ] } @@ -3056,20 +3164,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] + } + ] } ] } @@ -3079,20 +3201,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] + } + ] } ] } @@ -3102,20 +3238,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] + } + ] } ] } @@ -3125,20 +3275,219 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } + ] + } + ] } ] } @@ -3148,20 +3497,34 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] + } + ] } ] } @@ -3171,20 +3534,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } + ] + } + ] } ] } @@ -3194,26 +3571,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -3226,29 +3608,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -3261,29 +3645,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } ] } ] @@ -3296,26 +3682,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } ] } ] @@ -3328,29 +3719,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -3363,29 +3756,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -3398,26 +3793,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -3430,29 +3830,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -3465,26 +3867,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } ] } ] @@ -3497,29 +3904,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -3532,26 +3941,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -3564,29 +3978,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -3599,26 +4015,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -3631,29 +4052,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -3666,25 +4089,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -3696,25 +4126,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -3726,25 +4163,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -3756,25 +4200,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -3786,25 +4237,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -3816,25 +4274,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } + ] } ] } @@ -3846,25 +4311,27 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -3876,25 +4343,30 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3906,25 +4378,30 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3936,25 +4413,30 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3966,25 +4448,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3996,25 +4483,27 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -4026,25 +4515,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4056,25 +4550,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] } ] } @@ -4086,25 +4587,29 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -4116,25 +4621,28 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is present": "true" + "in": "header", + "check": "$.alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -4146,25 +4654,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -4176,25 +4684,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -4206,25 +4714,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -4236,25 +4744,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -4266,25 +4774,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" } ] } @@ -4296,25 +4804,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" } ] } @@ -4326,25 +4834,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -4356,25 +4864,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } @@ -4386,25 +4894,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -4416,25 +4924,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -4446,25 +4954,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -4476,25 +4984,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -4506,25 +5014,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -4536,25 +5044,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -4566,25 +5074,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -4596,25 +5104,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } @@ -4626,25 +5134,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } @@ -4656,25 +5164,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -4686,25 +5194,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -4716,15 +5224,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -4733,7 +5241,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "check": "$.metadata.openid_provider.issuer", "is present": "true" } ] @@ -4746,15 +5254,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -4763,7 +5271,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.metadata.openid_provider.jwks", "is present": "true" } ] @@ -4776,15 +5284,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -4793,7 +5301,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "check": "$.metadata.openid_provider.signed_jwks_uri", "is present": "true" } ] @@ -4806,15 +5314,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -4823,7 +5331,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "check": "$.metadata.openid_provider.acr_values_supported", "is present": "true" } ] @@ -4836,15 +5344,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -4853,7 +5361,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "check": "$.metadata.openid_provider.authorization_endpoint", "is present": "true" } ] @@ -4866,15 +5374,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -4883,7 +5391,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "check": "$.metadata.openid_provider.code_challenge_methods_supported", "is present": "true" } ] @@ -4896,15 +5404,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -4913,7 +5421,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -4926,15 +5434,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -4943,7 +5451,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -4956,15 +5464,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -4973,7 +5481,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "check": "$.metadata.openid_provider.grant_types_supported", "is present": "true" } ] @@ -4986,32 +5494,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -5023,32 +5524,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "is present": "true" } ] } @@ -5060,32 +5554,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "is present": "true" } ] } @@ -5097,32 +5584,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "is present": "true" } ] } @@ -5134,32 +5614,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.introspection_endpoint", + "is present": "true" } ] } @@ -5171,32 +5644,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -5208,32 +5674,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -5245,32 +5704,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -5282,32 +5734,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "is present": "true" } ] } @@ -5319,32 +5764,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -5356,32 +5794,25 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } @@ -5393,32 +5824,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "is present": "true" } ] } @@ -5430,32 +5854,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.claims_supported", + "is present": "true" } ] } @@ -5467,32 +5884,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported", + "is present": "true" } ] } @@ -5504,32 +5914,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported", + "is present": "true" } ] } @@ -5541,32 +5944,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } @@ -5578,32 +5974,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported", + "is present": "true" } ] } @@ -5615,32 +6004,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } @@ -5652,32 +6034,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported", + "is present": "true" } ] } @@ -5689,32 +6064,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported", + "is present": "true" } ] } @@ -5726,32 +6094,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint", + "is present": "true" } ] } @@ -5763,32 +6124,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ - { - "message type": "Entity Statement response TA RP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -5800,32 +6154,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported", + "is present": "true" } ] } @@ -5837,32 +6184,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.subject_types_supported", + "is present": "true" } ] } @@ -5874,32 +6214,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint", + "is present": "true" } ] } @@ -5911,32 +6244,25 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "is present": "true" } ] } @@ -5948,32 +6274,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", + "is present": "true" } ] } @@ -5985,32 +6304,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_endpoint", + "is present": "true" } ] } @@ -6022,32 +6334,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "is present": "true" } ] } @@ -6059,32 +6364,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" } ] } @@ -6096,99 +6394,75 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6197,12 +6471,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$.sub", + "is": "X_url_OP" } ] } @@ -6214,29 +6484,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" - ] - } - ] + "in": "head", + "check": "Content-Type", + "is": "application/json" } ] } @@ -6246,30 +6507,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" - ] - } - ] + "in": "body", + "check": "token_type", + "is": "Bearer" } ] } @@ -6279,30 +6530,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -6312,30 +6553,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -6345,30 +6576,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Revocation response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -6378,30 +6599,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -6411,29 +6622,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -6443,29 +6645,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] - } - ] + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] } @@ -6475,32 +6668,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -6510,29 +6691,43 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" - ] - } - ] + "in": "body", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -6542,29 +6737,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -6574,30 +6760,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } @@ -6607,30 +6783,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -6640,30 +6806,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -6673,30 +6829,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -6706,29 +6852,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -6738,30 +6875,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -6771,29 +6898,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -6803,30 +6921,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "head", + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -6836,15 +6944,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6853,10 +6961,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -6868,27 +6974,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" - ] + { + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -6900,15 +7004,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6917,10 +7021,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -6932,15 +7034,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6949,11 +7051,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -6965,15 +7064,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -6982,10 +7081,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "check": "$.metadata", + "is present": "true" } ] } @@ -6997,15 +7094,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -7014,11 +7111,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -7030,15 +7124,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -7047,10 +7141,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] + "check": "$.authority_hints", + "is present": "true" } ] } @@ -7062,15 +7154,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -7079,10 +7171,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] + "check": "$.trust_marks", + "is present": "true" } ] } @@ -7094,28 +7184,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" - ] + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -7127,28 +7214,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -7160,28 +7244,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "in": "header", + "check": "$.typ", + "is present": "true" } ] } @@ -7193,28 +7274,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.aud", + "is present": "true" } ] } @@ -7226,27 +7304,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$.client_id", + "is present": "true" } ] } @@ -7258,28 +7334,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -7291,28 +7364,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -7324,28 +7394,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -7357,28 +7424,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$.jti", + "is present": "true" } ] } @@ -7390,28 +7454,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$.scope", + "is present": "true" } ] } @@ -7423,21 +7484,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -7447,21 +7514,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] } ] } @@ -7471,21 +7544,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -7495,24 +7574,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.acr", "is present": "true" } ] @@ -7525,24 +7604,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.at_hash", "is present": "true" } ] @@ -7555,24 +7634,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.aud", "is present": "true" } ] @@ -7585,24 +7664,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.exp", "is present": "true" } ] @@ -7615,24 +7694,24 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.iat", "is present": "true" } ] @@ -7645,24 +7724,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.iss", "is present": "true" } ] @@ -7675,24 +7754,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", + "check": "$.jti", "is present": "true" } ] @@ -7705,24 +7784,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.nonce", "is present": "true" } ] @@ -7735,24 +7814,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.redirect_uri", + "check": "$.sub", "is present": "true" } ] @@ -7765,27 +7844,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.response_type", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -7795,27 +7867,20 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.scope", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -7825,27 +7890,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.state", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -7855,27 +7913,21 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.ui_locales", - "is present": "true" - } - ] + "jwt check sig": "X_key_OP" } ] } @@ -7885,27 +7937,21 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -7915,27 +7961,21 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -7945,25 +7985,29 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -7975,25 +8019,27 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] } ] } @@ -8005,25 +8051,28 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -8035,25 +8084,28 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -8065,25 +8117,28 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -8095,25 +8150,28 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -8125,25 +8183,27 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } @@ -8155,25 +8215,28 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -8185,25 +8248,27 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] } ] } @@ -8215,25 +8280,28 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -8245,25 +8313,28 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -8275,25 +8346,27 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" + ] } ] } @@ -8305,21 +8378,30 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" + ] + } + ] } ] } @@ -8329,20 +8411,29 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" + ] + } + ] } ] } @@ -8352,20 +8443,29 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" + ] + } + ] } ] } @@ -8375,20 +8475,32 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" + ] + } + ] } ] } @@ -8398,20 +8510,29 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" + ] + } + ] } ] } @@ -8421,20 +8542,30 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] + } + ] } ] } @@ -8444,20 +8575,30 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -8467,20 +8608,30 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -8490,20 +8641,31 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] + } + ] } ] } @@ -8513,20 +8675,21 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "checks": [ { - "in": "body", - "is present": true, - "check regex": "token" + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -8536,20 +8699,21 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "UserInfo response", "checks": [ { - "in": "url", - "is present": true, - "check": "POST" + "in": "head", + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } @@ -8559,20 +8723,33 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -8582,20 +8759,28 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.cty", + "is": "JWT" + } + ] } ] } @@ -8605,20 +8790,28 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] } ] } @@ -8628,20 +8821,28 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.cty", + "is present": "true" + } + ] } ] } @@ -8651,20 +8852,28 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.enc", + "is present": "true" + } + ] } ] } @@ -8674,20 +8883,28 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -8697,20 +8914,32 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -8720,20 +8949,32 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -8743,20 +8984,29 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -8766,20 +9016,20 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "message type": "Introspection request", "checks": [ { "in": "body", - "is present": true, - "check regex": "grant_type" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -8789,8 +9039,8 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" @@ -8801,8 +9051,8 @@ "checks": [ { "in": "body", - "is present": true, - "check regex": "token" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -8812,20 +9062,20 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", + "message type": "Token request", "checks": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -8835,25 +9085,33 @@ }, { "test": { - "name": "Does the RP metadata contain correct value of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\n\\r]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is": "x_https_RP" + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + ] } ] } @@ -8865,25 +9123,28 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_RP" + "check": "$.prompt", + "is in": [ + "consent", + "consent login" + ] } ] } @@ -8895,68 +9156,33 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response RP", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response RP", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" ], "operations": [ - { - "message type": "Token request", - "checks": [ - { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" + { + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" + ] + } ] } ] @@ -9447,123 +9673,8 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ - { - "message type": "Introspection request", - "checks": [ - { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ - { - "message type": "Introspection request", - "checks": [ - { - "in": "body", - "check": "client_id", - "is": "X_url_RP" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Revocation request", - "checks": [ - { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token request", - "checks": [ - { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token request", - "checks": [ - { - "in": "body", - "check": "client_id", - "is": "X_https_RP" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -9571,34 +9682,18 @@ "operations": [ { "message type": "Entity Configuration response RP", - "checks": [ - { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ - { - "message type": "Introspection request", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" + } + ] } ] } @@ -9608,20 +9703,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_registration_types", + "is present": "true" + } + ] } ] } @@ -9631,20 +9733,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" + } + ] } ] } @@ -9654,20 +9763,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" + } + ] } ] } @@ -9677,20 +9793,27 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" + } + ] } ] } @@ -9700,20 +9823,27 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" + } + ] } ] } @@ -9723,20 +9853,27 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is present": "true" + } + ] } ] } @@ -9746,8 +9883,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -9763,10 +9900,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is present": "true" } ] } @@ -9778,8 +9913,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -9795,11 +9930,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] + "check": "$.metadata.openid_relying_party.redirect_uris", + "is present": "true" } ] } @@ -9811,8 +9943,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -9828,11 +9960,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" } ] } @@ -9844,8 +9973,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -9861,11 +9990,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } @@ -9877,8 +10003,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -9894,11 +10020,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "is present": "true" } ] } @@ -9910,8 +10033,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -9927,10 +10050,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is present": "true" } ] } @@ -9942,8 +10063,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ "s1" @@ -9959,11 +10080,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } @@ -9975,8 +10093,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -9992,11 +10110,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -10008,8 +10123,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -10025,11 +10140,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -10041,8 +10153,8 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -10058,10 +10170,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" - ] + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -10073,8 +10183,8 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -10085,15 +10195,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is present": "true" } ] } @@ -10105,20 +10213,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is present": "true" + } + ] } ] } @@ -10128,20 +10243,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is present": "true" + } + ] } ] } @@ -10151,20 +10273,27 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is present": "true" + } + ] } ] } @@ -10174,8 +10303,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" @@ -10191,7 +10320,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", + "check": "$.metadata.openid_relying_party.response_types", "is present": "true" } ] @@ -10204,8 +10333,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" @@ -10216,13 +10345,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" } ] } @@ -10234,8 +10363,8 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration RP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -10246,13 +10375,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.sub", + "is": "X_url_RP" } ] } @@ -10264,27 +10393,20 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -10294,27 +10416,20 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" - } - ] + "in": "body", + "check": "client_id", + "is": "X_url_RP" } ] } @@ -10324,27 +10439,20 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -10354,27 +10462,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is present": "true" - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -10384,27 +10485,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is present": "true" - } - ] + "in": "body", + "check": "client_id", + "is": "X_https_RP" } ] } @@ -10414,8 +10508,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -10423,18 +10517,11 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -10444,8 +10531,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'grant_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -10453,18 +10540,11 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -10474,8 +10554,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -10483,18 +10563,11 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -10504,27 +10577,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.signed_jwks_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -10534,27 +10600,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -10564,27 +10623,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -10594,27 +10646,20 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -10624,27 +10669,20 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" - } - ] + "in": "body", + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -10654,27 +10692,20 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" - } - ] + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -10684,27 +10715,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is present": "true" - } - ] + "in": "head", + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -10714,27 +10738,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -10744,27 +10761,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } @@ -10774,27 +10784,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -10804,27 +10807,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -10834,32 +10830,20 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -10869,29 +10853,20 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -10901,32 +10876,20 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -10936,35 +10899,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.acr_values", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -10974,30 +10922,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.prompt", - "is in": [ - "consent", - "consent login" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -11007,34 +10945,20 @@ }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.scope", - "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -11044,32 +10968,20 @@ }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -11079,21 +10991,20 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_RP" + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -11103,21 +11014,20 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "jwt check sig": "X_key_core_RP" + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -11127,34 +11037,20 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -11164,34 +11060,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -11201,34 +11083,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -11238,34 +11106,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -11275,34 +11129,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "code" } ] } @@ -11312,34 +11152,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -11349,34 +11175,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -11386,34 +11198,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -11423,34 +11221,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] - } - ] + "in": "head", + "is present": true, + "check param": "Authorization" } ] } @@ -11460,32 +11244,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.acr_values", + "is present": "true" } ] } @@ -11497,32 +11274,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.aud", + "is present": "true" } ] } @@ -11534,32 +11304,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -11571,32 +11334,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.client_id", + "is present": "true" } ] } @@ -11608,32 +11364,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -11645,32 +11394,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ - { - "message type": "Entity Statement response SA OP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + { + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -11682,32 +11424,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.nonce", + "is present": "true" } ] } @@ -11719,32 +11454,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.prompt", + "is present": "true" } ] } @@ -11756,32 +11484,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.redirect_uri", + "is present": "true" } ] } @@ -11793,32 +11514,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.response_type", + "is present": "true" } ] } @@ -11830,32 +11544,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.scope", + "is present": "true" } ] } @@ -11867,32 +11574,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.state", + "is present": "true" } ] } @@ -11904,32 +11604,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.ui_locales", + "is present": "true" } ] } @@ -11941,32 +11634,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -11978,32 +11664,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -12015,32 +11694,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -12052,32 +11724,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -12089,32 +11754,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -12126,32 +11784,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -12163,32 +11814,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -12200,32 +11844,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -12237,32 +11874,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.aud", + "is present": "true" } ] } @@ -12274,32 +11904,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -12311,24 +11934,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.iat", "is present": "true" } ] @@ -12341,24 +11964,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.jti", "is present": "true" } ] @@ -12371,24 +11994,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.sub", "is present": "true" } ] @@ -12401,24 +12024,24 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.iss", "is present": "true" } ] @@ -12431,26 +12054,22 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" - } + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" ] } ] @@ -12461,25 +12080,30 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -12491,25 +12115,27 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" + ] } ] } @@ -12521,25 +12147,30 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -12551,27 +12182,21 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -12581,27 +12206,21 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_RP" } ] } @@ -12611,25 +12230,27 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] } ] } @@ -12641,25 +12262,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -12671,25 +12295,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -12701,25 +12328,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -12731,25 +12361,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -12761,25 +12394,27 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] } ] } @@ -12791,25 +12426,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -12821,25 +12459,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -12851,25 +12492,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -12881,25 +12525,27 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] } ] } @@ -12911,27 +12557,21 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -12941,25 +12581,30 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -12971,15 +12616,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -12988,8 +12633,12 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", + "is subset of": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -13000,22 +12649,30 @@ } }, { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "test": { + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is subset of": [ + "S256" + ] + } + ] } ] } @@ -13025,15 +12682,15 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13042,8 +12699,11 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", + "is subset of": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -13055,20 +12715,30 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -13078,20 +12748,30 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -13101,26 +12781,28 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -13132,26 +12814,28 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" + ] } ] } @@ -13163,15 +12847,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13180,8 +12864,10 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" + ] } ] } @@ -13193,15 +12879,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13210,8 +12896,10 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -13223,15 +12911,15 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13240,8 +12928,13 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -13253,25 +12946,27 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" + ] } ] } @@ -13283,15 +12978,15 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13300,8 +12995,10 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -13313,25 +13010,28 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -13343,15 +13043,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13360,8 +13060,11 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -13373,15 +13076,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13390,8 +13093,11 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -13403,15 +13109,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13420,8 +13126,11 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -13433,15 +13142,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -13450,8 +13159,10 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -13463,25 +13174,28 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -13493,20 +13207,29 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] + } + ] } ] } @@ -13516,20 +13239,30 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] + } + ] } ] } @@ -13539,20 +13272,29 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] + } + ] } ] } @@ -13562,20 +13304,29 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" + ] + } + ] } ] } @@ -13585,20 +13336,29 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] + } + ] } ] } @@ -13608,20 +13368,30 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] + } + ] } ] } @@ -13631,25 +13401,27 @@ }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -13661,25 +13433,28 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -13691,25 +13466,27 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -13721,25 +13498,27 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -13751,25 +13530,28 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" + ] } ] } @@ -13781,25 +13563,28 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -13811,25 +13596,28 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -13841,25 +13629,28 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -13871,25 +13662,27 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -13901,31 +13694,27 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -13938,31 +13727,27 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -13975,31 +13760,27 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -14012,31 +13793,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -14049,31 +13825,29 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -14086,31 +13860,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -14123,31 +13895,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -14160,31 +13927,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -14197,31 +13962,29 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -14234,31 +13997,26 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -14271,31 +14029,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -14308,31 +14064,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -14345,31 +14096,29 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -14382,31 +14131,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -14419,31 +14163,29 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -14456,31 +14198,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -14493,31 +14230,29 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -14530,31 +14265,27 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } + "in": "payload", + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" ] } ] @@ -14567,31 +14298,27 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.organization_type", + "is in": [ + "public", + "private" ] } ] @@ -14604,32 +14331,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -14641,32 +14361,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -14678,32 +14391,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -14715,32 +14421,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -14752,32 +14451,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -14789,32 +14481,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -14826,32 +14511,25 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -14863,32 +14541,25 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" } ] } @@ -14900,32 +14571,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -14937,32 +14601,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } @@ -14974,32 +14631,25 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -15011,32 +14661,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -15048,32 +14691,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -15085,32 +14721,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -15122,32 +14751,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -15159,42 +14781,15 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA OP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -15202,10 +14797,9 @@ "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -15217,42 +14811,45 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -15260,10 +14857,9 @@ "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -15275,105 +14871,87 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -15383,21 +14961,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -15407,21 +14991,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -15431,15 +15021,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -15448,8 +15038,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -15461,15 +15051,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -15478,8 +15068,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -15491,15 +15081,15 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -15508,8 +15098,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -15521,15 +15111,15 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -15538,8 +15128,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -15551,15 +15141,15 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -15568,8 +15158,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } @@ -15581,24 +15171,24 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -15611,24 +15201,24 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.authority_hints", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -15641,24 +15231,24 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -15671,24 +15261,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -15701,24 +15291,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -15731,24 +15321,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.typ", + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -15761,24 +15351,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -15791,24 +15381,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -15821,24 +15411,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -15851,24 +15441,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.constraints.max_path_length", "is present": "true" } ] @@ -15881,24 +15471,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", "is present": "true" } ] @@ -15911,24 +15501,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", "is present": "true" } ] @@ -15941,24 +15531,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", "is present": "true" } ] @@ -15971,24 +15561,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", "is present": "true" } ] @@ -16001,24 +15591,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", "is present": "true" } ] @@ -16031,24 +15621,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", "is present": "true" } ] @@ -16061,24 +15651,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", "is present": "true" } ] @@ -16091,24 +15681,24 @@ }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.at_hash", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", "is present": "true" } ] @@ -16121,24 +15711,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -16151,24 +15741,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", "is present": "true" } ] @@ -16181,24 +15771,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", "is present": "true" } ] @@ -16211,24 +15801,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -16241,24 +15831,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", "is present": "true" } ] @@ -16271,24 +15861,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -16301,24 +15891,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", "is present": "true" } ] @@ -16331,21 +15921,27 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -16355,21 +15951,27 @@ }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is present": "true" + } + ] } ] } @@ -16379,20 +15981,27 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -16402,20 +16011,27 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" + } + ] } ] } @@ -16425,20 +16041,27 @@ }, { "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is present": "true" + } + ] } ] } @@ -16448,20 +16071,27 @@ }, { "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "expires_in" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -16471,20 +16101,27 @@ }, { "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "id_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is present": "true" + } + ] } ] } @@ -16494,20 +16131,27 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -16517,20 +16161,27 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is present": "true" + } + ] } ] } @@ -16540,25 +16191,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported.value", - "is": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is present": "true" } ] } @@ -16570,25 +16221,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported.value", - "is": "true" + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is present": "true" } ] } @@ -16600,25 +16251,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", - "is": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" } ] } @@ -16630,25 +16281,25 @@ }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_OP" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -16660,20 +16311,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is present": "true" + } + ] } ] } @@ -16683,20 +16341,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -16706,20 +16371,27 @@ }, { "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation response", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is present": "true" + } + ] } ] } @@ -16729,20 +16401,27 @@ }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -16752,20 +16431,27 @@ }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is present": "true" + } + ] } ] } @@ -16775,25 +16461,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is present": "true" } ] } @@ -16805,15 +16491,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does entity configuration TA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -16822,8 +16508,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.sub", + "is": "X_url_TA" } ] } @@ -16835,27 +16521,20 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -16865,27 +16544,20 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -16895,27 +16567,20 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -16925,27 +16590,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" - } - ] + "message type": "Entity Listing response", + "checks": [ + { + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -16955,27 +16613,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Statement response TA OP", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -16985,27 +16636,20 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -17015,27 +16659,20 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -17045,27 +16682,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Fetch Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -17075,27 +16705,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Public Keys History response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -17105,27 +16728,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -17135,25 +16751,26 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -17165,25 +16782,26 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -17195,25 +16813,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -17225,25 +16843,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.iat", + "is present": "true" } ] } @@ -17255,25 +16873,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -17285,25 +16903,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -17315,25 +16933,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata", + "is present": "true" } ] } @@ -17345,43 +16963,27 @@ }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token response", - "checks": [ - { - "in": "head", - "check": "Content-Type", - "is": "application/json" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ - { - "message type": "Token response", - "checks": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check": "token_type", - "is": "Bearer" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -17391,20 +16993,27 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.constraints", + "is present": "true" + } + ] } ] } @@ -17414,20 +17023,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -17437,20 +17053,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_mark_issuers", + "is present": "true" + } + ] } ] } @@ -17460,20 +17083,27 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.constraints", + "is present": "true" + } + ] } ] } @@ -17483,20 +17113,27 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -17506,20 +17143,27 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -17529,32 +17173,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -17566,29 +17203,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -17600,25 +17233,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.iss", "is present": "true" } ] @@ -17631,25 +17263,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.cty", + "in": "payload", + "check": "$.sub", "is present": "true" } ] @@ -17662,25 +17293,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", + "in": "payload", + "check": "$.trust_marks", "is present": "true" } ] @@ -17693,25 +17323,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.constraints", "is present": "true" } ] @@ -17724,29 +17353,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -17758,27 +17383,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -17790,28 +17413,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -17823,28 +17443,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -17856,28 +17473,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -17889,28 +17503,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.trust_marks", + "is present": "true" } ] } @@ -17922,27 +17533,25 @@ }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -17954,28 +17563,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -17987,26 +17593,31 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", - "is in": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } ] } ] @@ -18019,27 +17630,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } ] } ] @@ -18052,27 +17667,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } ] } ] @@ -18085,26 +17704,31 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported[0]", - "is in": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } ] } ] @@ -18117,27 +17741,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } ] } ] @@ -18150,26 +17778,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } ] } ] @@ -18182,26 +17815,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } ] } ] @@ -18214,29 +17852,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } ] } ] @@ -18249,26 +17889,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } ] } ] @@ -18281,27 +17926,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } ] } ] @@ -18314,27 +17963,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } ] } ] @@ -18347,27 +18000,31 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } ] } ] @@ -18380,28 +18037,31 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } ] } ] @@ -18414,26 +18074,31 @@ }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } ] } ] @@ -18446,29 +18111,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } ] } ] @@ -18481,29 +18148,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } ] } ] @@ -18516,29 +18185,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } ] } ] @@ -18551,29 +18222,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } ] } ] @@ -18586,26 +18259,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } ] } ] @@ -18618,29 +18296,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } ] } ] @@ -18653,26 +18333,32 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.cty", - "is": "JWT" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -18684,30 +18370,31 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } ] } ] @@ -18720,25 +18407,32 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -18750,25 +18444,32 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -18780,25 +18481,32 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -18810,25 +18518,32 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -18840,25 +18555,32 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -18870,25 +18592,32 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -18900,25 +18629,32 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -18930,25 +18666,32 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -18960,25 +18703,32 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -18990,25 +18740,32 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -19020,25 +18777,32 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -19050,27 +18814,21 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -19080,27 +18838,21 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -19110,27 +18862,21 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -19140,87 +18886,105 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -19230,25 +18994,32 @@ }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -19260,25 +19031,32 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -19290,25 +19068,32 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -19320,25 +19105,32 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -19350,25 +19142,32 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.claims_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } + ] } ] } @@ -19380,25 +19179,32 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -19410,25 +19216,32 @@ }, { "test": { - "name": "Does the OP metadata contain the request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -19440,25 +19253,32 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -19470,25 +19290,32 @@ }, { "test": { - "name": "Does the OP metadata contain the client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -19500,25 +19327,32 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -19530,25 +19364,32 @@ }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -19560,25 +19401,32 @@ }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -19590,25 +19438,32 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -19620,25 +19475,32 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -19650,25 +19512,32 @@ }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -19680,25 +19549,32 @@ }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -19710,25 +19586,32 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -19740,25 +19623,32 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -19770,25 +19660,32 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -19800,25 +19697,32 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] } ] } @@ -19830,25 +19734,32 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -19860,20 +19771,34 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "code" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] + } + ] } ] } @@ -19883,20 +19808,34 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "state" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] + } + ] } ] } @@ -19906,20 +19845,34 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] + } + ] } ] } @@ -19929,27 +19882,31 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -19962,29 +19919,31 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -19997,29 +19956,31 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -20032,21 +19993,34 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_OP" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] + } + ] } ] } @@ -20056,21 +20030,34 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] + } + ] } ] } @@ -20080,21 +20067,34 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] + } + ] } ] } @@ -20104,8 +20104,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -20121,8 +20121,13 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -20134,8 +20139,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -20151,8 +20156,13 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -20164,8 +20174,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -20176,13 +20186,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" } ] } @@ -20194,8 +20204,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -20206,13 +20216,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" } ] } @@ -20224,8 +20234,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" @@ -20241,8 +20251,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -20254,8 +20264,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -20271,8 +20281,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -20284,8 +20294,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -20301,8 +20311,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -20314,8 +20324,8 @@ }, { "test": { - "name": "Does the AA metadata contain op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -20326,13 +20336,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata.openid_provider.op_policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -20344,8 +20354,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -20353,12 +20363,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] } ] } @@ -20368,8 +20384,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -20380,13 +20396,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -20398,8 +20414,8 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -20407,11 +20423,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + } + ] } ] } @@ -20421,8 +20444,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -20430,11 +20453,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + } + ] } ] } @@ -20444,8 +20474,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -20461,8 +20491,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -20474,8 +20504,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20486,13 +20516,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "is present": "true" } ] } @@ -20504,8 +20534,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20516,13 +20546,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -20534,8 +20564,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20546,13 +20576,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "is present": "true" } ] } @@ -20564,8 +20594,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20576,13 +20606,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -20594,8 +20624,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20606,13 +20636,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -20624,8 +20654,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20636,13 +20666,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "is present": "true" } ] } @@ -20654,8 +20684,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20666,13 +20696,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -20684,8 +20714,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20696,13 +20726,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + "check": "$.metadata.oauth_authorization_server.issuer", + "is present": "true" } ] } @@ -20714,8 +20744,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20726,13 +20756,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + "check": "$.metadata.oauth_authorization_server.jwks", + "is present": "true" } ] } @@ -20744,8 +20774,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20756,13 +20786,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -20774,8 +20804,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20783,11 +20813,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "is present": "true" + } + ] } ] } @@ -20797,20 +20834,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "is present": "true" + } + ] } ] } @@ -20820,8 +20864,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20837,11 +20881,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -20853,8 +20894,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20870,10 +20911,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -20885,8 +20924,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20902,11 +20941,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.metadata.oauth_resource.resource", + "is present": "true" } ] } @@ -20918,8 +20954,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20930,18 +20966,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.oauth_authorization_server.response_types_supported", + "is present": "true" } ] } @@ -20953,8 +20984,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20965,18 +20996,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.oauth_authorization_server.scopes_supported", + "is present": "true" } ] } @@ -20988,8 +21014,8 @@ }, { "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21005,7 +21031,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "check": "$.metadata.oauth_authorization_server.token_endpoint", "is present": "true" } ] @@ -21018,8 +21044,8 @@ }, { "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21035,7 +21061,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -21048,8 +21074,8 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21065,7 +21091,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -21078,8 +21104,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration AA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -21090,13 +21116,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -21108,8 +21134,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -21117,18 +21143,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -21138,8 +21157,8 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -21147,18 +21166,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -21168,8 +21180,8 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -21177,18 +21189,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -21198,27 +21203,20 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -21228,8 +21226,8 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -21240,12 +21238,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", + "check": "$.trust_marks", "is present": "true" } ] @@ -21258,8 +21256,8 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21270,12 +21268,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.exp", "is present": "true" } ] @@ -21288,8 +21286,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21300,12 +21298,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "check": "$.iat", "is present": "true" } ] @@ -21318,8 +21316,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21330,12 +21328,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "check": "$.iss", "is present": "true" } ] @@ -21348,8 +21346,8 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21360,12 +21358,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.jwks", "is present": "true" } ] @@ -21378,8 +21376,8 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21390,12 +21388,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata", "is present": "true" } ] @@ -21408,8 +21406,8 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21420,12 +21418,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_resource.resource", + "check": "$.sub", "is present": "true" } ] @@ -21438,8 +21436,8 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" @@ -21450,12 +21448,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", + "check": "$..metadata.openid_provider.op_policy_uri", "is present": "true" } ] @@ -21468,8 +21466,8 @@ }, { "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -21480,15 +21478,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_AA" } ] } @@ -21498,8 +21490,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -21515,8 +21507,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -21529,7 +21524,7 @@ { "test": { "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -21545,8 +21540,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -21558,8 +21555,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -21575,8 +21572,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -21588,8 +21588,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -21597,12 +21597,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_AA" + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json index 0d827ef..93afcff 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json @@ -7,25 +7,27 @@ "tests": [ { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -37,27 +39,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.aud", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -67,27 +62,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -97,27 +85,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.client_id", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -127,8 +108,8 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" @@ -143,9 +124,17 @@ "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + ] } ] } @@ -157,8 +146,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" @@ -174,8 +163,11 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.prompt", + "is in": [ + "consent", + "consent login" + ] } ] } @@ -187,8 +179,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" @@ -204,8 +196,15 @@ "checks": [ { "in": "payload", - "check": "$.nonce", - "is present": "true" + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" + ] } ] } @@ -217,8 +216,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" @@ -234,8 +233,8 @@ "checks": [ { "in": "payload", - "check": "$.prompt", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" } ] } @@ -247,8 +246,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" @@ -264,8 +263,8 @@ "checks": [ { "in": "payload", - "check": "$.redirect_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" } ] } @@ -277,25 +276,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.response_type", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -307,25 +306,25 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -337,25 +336,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.state", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -367,25 +366,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.ui_locales", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -397,25 +396,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -427,8 +426,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" @@ -439,13 +438,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" } ] } @@ -457,8 +456,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -474,8 +473,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" } ] } @@ -487,8 +486,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -504,8 +503,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" } ] } @@ -517,8 +516,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -529,13 +528,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -547,8 +546,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" @@ -559,14 +558,14 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" - } + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + } ] } ] @@ -577,8 +576,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -594,8 +593,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" } ] } @@ -607,25 +606,25 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" } ] } @@ -637,8 +636,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" @@ -654,8 +653,8 @@ "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -667,8 +666,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" @@ -684,8 +683,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -697,24 +696,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.openid_relying_party.client_id", "is present": "true" } ] @@ -727,24 +726,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.metadata.openid_relying_party.client_registration_types", "is present": "true" } ] @@ -757,24 +756,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -787,24 +786,24 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -817,8 +816,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" @@ -826,12 +825,18 @@ "operations": [ { "message type": "Entity Configuration response RP", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" + } + ] } ] } @@ -841,20 +846,27 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" + } + ] } ] } @@ -864,20 +876,27 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is present": "true" + } + ] } ] } @@ -887,20 +906,27 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is present": "true" + } + ] } ] } @@ -910,20 +936,27 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.redirect_uris", + "is present": "true" + } + ] } ] } @@ -933,20 +966,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" + } + ] } ] } @@ -956,20 +996,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" + } + ] } ] } @@ -979,20 +1026,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "is present": "true" + } + ] } ] } @@ -1002,20 +1056,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is present": "true" + } + ] } ] } @@ -1025,20 +1086,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" + } + ] } ] } @@ -1048,20 +1116,27 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" + } + ] } ] } @@ -1071,20 +1146,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" + } + ] } ] } @@ -1094,20 +1176,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" + } + ] } ] } @@ -1117,20 +1206,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is present": "true" + } + ] } ] } @@ -1140,20 +1236,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is present": "true" + } + ] } ] } @@ -1163,20 +1266,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is present": "true" + } + ] } ] } @@ -1186,20 +1296,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is present": "true" + } + ] } ] } @@ -1209,20 +1326,27 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types", + "is present": "true" + } + ] } ] } @@ -1232,20 +1356,27 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" + } + ] } ] } @@ -1255,20 +1386,27 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does entity configuration RP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is": "X_url_RP" + } + ] } ] } @@ -1278,20 +1416,20 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "message type": "Introspection request", "checks": [ { "in": "body", - "is present": true, - "check regex": "grant_type" + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -1301,8 +1439,31 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "check": "client_id", + "is": "X_url_RP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ "s1" @@ -1313,8 +1474,8 @@ "checks": [ { "in": "body", - "is present": true, - "check regex": "token" + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -1324,20 +1485,20 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", + "message type": "Token request", "checks": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -1347,27 +1508,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct value of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is": "x_https_RP" - } - ] + "in": "body", + "check": "client_id", + "is": "X_https_RP" } ] } @@ -1377,32 +1531,48 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", - "type": "passive", + "name": "Does the Revocation Request contain correct client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is": "X_url_RP" - } - ] + "value": "https://example.com", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { @@ -1453,42 +1623,20 @@ }, { "test": { - "name": "Does the JWT payload contain a correct sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", - "type": "active", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ], - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.sub", - "contains": "saved_iss" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1498,23 +1646,20 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "message type": "Introspection request", "checks": [ { "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" - ] + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1524,27 +1669,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1554,27 +1692,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" - } - ] + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -1584,27 +1715,20 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1614,29 +1738,22 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] - } - ] + "in": "body", + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" + } + ] } ], "result": "correct flow s1" @@ -1644,27 +1761,20 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" - } - ] + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -1674,27 +1784,20 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" - } - ] + "in": "head", + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1704,27 +1807,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -1734,27 +1830,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } @@ -1764,27 +1853,20 @@ }, { "test": { - "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" - } - ] + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -1794,27 +1876,20 @@ }, { "test": { - "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", - "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -1824,27 +1899,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -1854,27 +1922,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -1884,27 +1945,20 @@ }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -1914,27 +1968,20 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -1944,27 +1991,20 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -1974,27 +2014,20 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -2004,66 +2037,20 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", - "type": "active", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Revocation request", - "edit operations": [ - { - "from": "body", - "value": "https://example.com", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, { "in": "body", - "check": "invalid_client" - } - ] - } - ], - "result": "assert_only" - } - }, - { - "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ - { - "message type": "Introspection request", - "checks": [ - { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "is present": true, + "check regex": "client_assertion" } ] } @@ -2073,20 +2060,20 @@ }, { "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Revocation request", "checks": [ { "in": "body", - "check": "client_id", - "is": "X_url_RP" + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -2096,8 +2083,8 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2108,8 +2095,8 @@ "checks": [ { "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "is present": true, + "check regex": "client_id" } ] } @@ -2119,20 +2106,20 @@ }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Revocation request", "checks": [ { "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "is present": true, + "check regex": "token" } ] } @@ -2142,8 +2129,8 @@ }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -2154,8 +2141,8 @@ "checks": [ { "in": "body", - "check": "client_id", - "is": "X_https_RP" + "is present": true, + "check regex": "client_assertion" } ] } @@ -2165,20 +2152,20 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "checks": [ { "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -2188,20 +2175,20 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Token request", "checks": [ { "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "is present": true, + "check regex": "client_id" } ] } @@ -2211,20 +2198,20 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", + "message type": "Token request", "checks": [ { "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "is present": true, + "check regex": "code" } ] } @@ -2234,20 +2221,20 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Token request", "checks": [ { "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "is present": true, + "check regex": "code_verifier" } ] } @@ -2257,20 +2244,20 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Token request", "checks": [ { "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "is present": true, + "check regex": "grant_type" } ] } @@ -2280,20 +2267,20 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Revocation request", "checks": [ { "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "is present": true, + "check regex": "token" } ] } @@ -2303,20 +2290,20 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "UserInfo request", "checks": [ { "in": "head", - "check regex": "POST", - "is present": "true" + "is present": true, + "check param": "Authorization" } ] } @@ -2326,50 +2313,53 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.client_id", + "as": "client_id" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] + "check": "$.metadata.openid_relying_party.client_id", + "contains": "client_id" } ] } @@ -2381,28 +2371,53 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.redirect_uri", + "as": "redirect_uris" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] + "check": "$.metadata.openid_relying_party.redirect_uris", + "contains": "redirect_uris" } ] } @@ -2414,28 +2429,53 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.response_type", + "as": "response_types_supported" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.openid_relying_party.response_types[0]", + "contains": "response_types_supported" } ] } @@ -2447,28 +2487,53 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata.openid_relying_party.client_id", + "contains": "iss" } ] } @@ -2480,60 +2545,53 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", - "type": "passive", + "name": "Does the JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt save": "$.metadata.openid_relying_party.client_id", + "as": "client_id" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] + "check": "$.iss", + "contains": "client_id" } ] } @@ -2545,61 +2603,53 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.aud[0]", + "contains": "saved_iss" } ] } @@ -2611,28 +2661,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] + "in": "payload", + "check": "$.acr_values", + "is present": "true" } ] } @@ -2644,27 +2691,25 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" - ] + "check": "$.aud", + "is present": "true" } ] } @@ -2676,27 +2721,25 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -2708,20 +2751,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.client_id", + "is present": "true" + } + ] } ] } @@ -2731,20 +2781,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -2754,20 +2811,27 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -2777,24 +2841,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", + "check": "$.nonce", "is present": "true" } ] @@ -2807,24 +2871,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", + "check": "$.prompt", "is present": "true" } ] @@ -2837,24 +2901,24 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.redirect_uri", "is present": "true" } ] @@ -2867,24 +2931,24 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.response_type", "is present": "true" } ] @@ -2897,24 +2961,24 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", + "check": "$.scope", "is present": "true" } ] @@ -2927,24 +2991,24 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.state", "is present": "true" } ] @@ -2957,24 +3021,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "check": "$.ui_locales", "is present": "true" } ] @@ -2987,24 +3051,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "check": "$.iss", "is present": "true" } ] @@ -3017,8 +3081,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3029,12 +3093,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", + "check": "$.exp", "is present": "true" } ] @@ -3047,8 +3111,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'grant_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3059,12 +3123,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", + "check": "$.iat", "is present": "true" } ] @@ -3077,8 +3141,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3089,12 +3153,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", + "check": "$.iss", "is present": "true" } ] @@ -3107,8 +3171,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3119,12 +3183,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "check": "$.jwks", "is present": "true" } ] @@ -3137,8 +3201,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3149,12 +3213,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "check": "$.metadata", "is present": "true" } ] @@ -3167,8 +3231,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3179,12 +3243,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", + "check": "$.sub", "is present": "true" } ] @@ -3197,8 +3261,8 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -3209,12 +3273,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.trust_marks", "is present": "true" } ] @@ -3227,24 +3291,24 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.aud", "is present": "true" } ] @@ -3257,24 +3321,24 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.exp", "is present": "true" } ] @@ -3287,24 +3351,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "check": "$.iat", "is present": "true" } ] @@ -3317,24 +3381,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "check": "$.jti", "is present": "true" } ] @@ -3347,24 +3411,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "check": "$.sub", "is present": "true" } ] @@ -3377,24 +3441,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "check": "$.iss", "is present": "true" } ] @@ -3407,26 +3471,22 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", - "is present": "true" - } + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" ] } ] @@ -3539,55 +3599,21 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", - "type": "active", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.client_id", - "as": "client_id" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "client_id" - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -3597,53 +3623,51 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", - "type": "active", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.redirect_uri", - "as": "redirect_uris" - } - ] + "jwt check sig": "X_key_core_RP" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "contains": "redirect_uris" + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] } ] } @@ -3655,53 +3679,28 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", - "type": "active", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.response_type", - "as": "response_types_supported" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "contains": "response_types_supported" + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -3713,53 +3712,28 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", - "type": "active", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "iss" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -3771,53 +3745,61 @@ }, { "test": { - "name": "Does the JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", - "type": "active", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.metadata.openid_relying_party.client_id", - "as": "client_id" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "client_id" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -3829,53 +3811,60 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", - "type": "active", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.aud[0]", - "contains": "saved_iss" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -3887,32 +3876,27 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -3925,27 +3909,27 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", "is in": [ - "consent", - "consent login" + "RS256", + "RS512" ] } ] @@ -3958,31 +3942,26 @@ }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.metadata.openid_relying_party.response_types[0]", "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" + "code" ] } ] @@ -3995,32 +3974,21 @@ }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -4030,21 +3998,42 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", - "type": "passive", + "name": "Does the JWT payload contain a correct sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "jwt check sig": "X_key_RP" + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ], + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.sub", + "contains": "saved_iss" + } + ] } ] } @@ -4054,21 +4043,32 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "jwt check sig": "X_key_core_RP" + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json index 02e9147..9623906 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json @@ -7,25 +7,27 @@ "tests": [ { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -37,27 +39,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.aud", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -67,27 +62,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -97,27 +85,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.client_id", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -127,8 +108,8 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" @@ -143,9 +124,17 @@ "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + ] } ] } @@ -157,8 +146,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" @@ -174,8 +163,11 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.prompt", + "is in": [ + "consent", + "consent login" + ] } ] } @@ -187,8 +179,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" @@ -204,8 +196,15 @@ "checks": [ { "in": "payload", - "check": "$.nonce", - "is present": "true" + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" + ] } ] } @@ -217,8 +216,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" @@ -234,8 +233,8 @@ "checks": [ { "in": "payload", - "check": "$.prompt", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" } ] } @@ -247,8 +246,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" @@ -264,8 +263,8 @@ "checks": [ { "in": "payload", - "check": "$.redirect_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" } ] } @@ -277,25 +276,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.response_type", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -307,25 +306,25 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -337,25 +336,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.state", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -367,25 +366,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.ui_locales", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -397,25 +396,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -427,8 +426,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" @@ -439,13 +438,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" } ] } @@ -457,8 +456,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -474,8 +473,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" } ] } @@ -487,8 +486,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -504,8 +503,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" } ] } @@ -517,8 +516,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -529,13 +528,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -547,8 +546,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" @@ -559,14 +558,14 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" - } + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + } ] } ] @@ -577,8 +576,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -594,8 +593,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" } ] } @@ -607,25 +606,25 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" } ] } @@ -637,8 +636,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" @@ -654,8 +653,8 @@ "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -667,8 +666,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" @@ -684,8 +683,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -697,24 +696,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.openid_relying_party.client_id", "is present": "true" } ] @@ -727,24 +726,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.metadata.openid_relying_party.client_registration_types", "is present": "true" } ] @@ -757,24 +756,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -787,24 +786,24 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -817,8 +816,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" @@ -826,12 +825,18 @@ "operations": [ { "message type": "Entity Configuration response RP", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" + } + ] } ] } @@ -841,20 +846,27 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" + } + ] } ] } @@ -864,20 +876,27 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is present": "true" + } + ] } ] } @@ -887,20 +906,27 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is present": "true" + } + ] } ] } @@ -910,20 +936,27 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.redirect_uris", + "is present": "true" + } + ] } ] } @@ -933,20 +966,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" + } + ] } ] } @@ -956,20 +996,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" + } + ] } ] } @@ -979,20 +1026,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "is present": "true" + } + ] } ] } @@ -1002,20 +1056,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is present": "true" + } + ] } ] } @@ -1025,20 +1086,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" + } + ] } ] } @@ -1048,20 +1116,27 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" + } + ] } ] } @@ -1071,20 +1146,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" + } + ] } ] } @@ -1094,20 +1176,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" + } + ] } ] } @@ -1117,20 +1206,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is present": "true" + } + ] } ] } @@ -1140,20 +1236,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is present": "true" + } + ] } ] } @@ -1163,20 +1266,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is present": "true" + } + ] } ] } @@ -1186,20 +1296,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is present": "true" + } + ] } ] } @@ -1209,20 +1326,27 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types", + "is present": "true" + } + ] } ] } @@ -1232,20 +1356,27 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" + } + ] } ] } @@ -1255,20 +1386,27 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does entity configuration RP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is": "X_url_RP" + } + ] } ] } @@ -1278,20 +1416,20 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "message type": "Introspection request", "checks": [ { "in": "body", - "is present": true, - "check regex": "grant_type" + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -1301,20 +1439,20 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Revocation request", + "message type": "Introspection request", "checks": [ { "in": "body", - "is present": true, - "check regex": "token" + "check": "client_id", + "is": "X_url_RP" } ] } @@ -1324,20 +1462,20 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", + "message type": "Revocation request", "checks": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -1347,27 +1485,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct value of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is": "x_https_RP" - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -1377,27 +1508,20 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is": "X_url_RP" - } - ] + "in": "body", + "check": "client_id", + "is": "X_https_RP" } ] } @@ -1453,23 +1577,20 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "checks": [ { "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" - ] + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1479,27 +1600,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1509,27 +1623,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1539,27 +1646,20 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -1569,27 +1669,20 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1599,27 +1692,20 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" - } - ] + "in": "body", + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1629,27 +1715,20 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" - } - ] + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -1659,27 +1738,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" - } - ] + "in": "head", + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1689,27 +1761,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -1719,27 +1784,20 @@ }, { "test": { - "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } @@ -1749,27 +1807,20 @@ }, { "test": { - "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", - "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" - } - ] + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -1779,27 +1830,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -1809,27 +1853,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -1839,27 +1876,20 @@ }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -1869,27 +1899,20 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -1899,27 +1922,20 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -1929,27 +1945,20 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -1958,9 +1967,9 @@ } }, { - "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "test": { + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ "s_CIE_introsp" @@ -1970,9 +1979,9 @@ "message type": "Introspection request", "checks": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -1982,20 +1991,20 @@ }, { "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Revocation request", "checks": [ { "in": "body", - "check": "client_id", - "is": "X_url_RP" + "is present": true, + "check regex": "client_assertion" } ] } @@ -2005,8 +2014,8 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2017,8 +2026,8 @@ "checks": [ { "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -2028,20 +2037,20 @@ }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Revocation request", "checks": [ { "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "is present": true, + "check regex": "client_id" } ] } @@ -2051,20 +2060,20 @@ }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Revocation request", "checks": [ { "in": "body", - "check": "client_id", - "is": "X_https_RP" + "is present": true, + "check regex": "token" } ] } @@ -2074,20 +2083,20 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "checks": [ { "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "is present": true, + "check regex": "client_assertion" } ] } @@ -2097,20 +2106,20 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Token request", "checks": [ { "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -2120,20 +2129,20 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", + "message type": "Token request", "checks": [ { "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "is present": true, + "check regex": "client_id" } ] } @@ -2143,20 +2152,20 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Token request", "checks": [ { "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "is present": true, + "check regex": "code" } ] } @@ -2166,20 +2175,20 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Token request", "checks": [ { "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "is present": true, + "check regex": "code_verifier" } ] } @@ -2189,8 +2198,8 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -2201,8 +2210,8 @@ "checks": [ { "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "is present": true, + "check regex": "grant_type" } ] } @@ -2212,20 +2221,20 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Revocation request", "checks": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -2235,8 +2244,8 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" @@ -2247,8 +2256,8 @@ "checks": [ { "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "is present": true, + "check param": "Authorization" } ] } @@ -2258,27 +2267,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] + "check": "$.acr_values", + "is present": "true" } ] } @@ -2290,28 +2297,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] + "check": "$.aud", + "is present": "true" } ] } @@ -2323,28 +2327,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -2356,28 +2357,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.client_id", + "is present": "true" } ] } @@ -2389,28 +2387,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -2422,27 +2417,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -2454,28 +2447,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.nonce", + "is present": "true" } ] } @@ -2487,28 +2477,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.prompt", + "is present": "true" } ] } @@ -2520,28 +2507,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.redirect_uri", + "is present": "true" } ] } @@ -2553,27 +2537,25 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" - ] + "check": "$.response_type", + "is present": "true" } ] } @@ -2585,27 +2567,25 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] + "check": "$.scope", + "is present": "true" } ] } @@ -2617,20 +2597,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.state", + "is present": "true" + } + ] } ] } @@ -2640,20 +2627,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.ui_locales", + "is present": "true" + } + ] } ] } @@ -2663,20 +2657,27 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -2686,8 +2687,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2698,12 +2699,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", + "check": "$.exp", "is present": "true" } ] @@ -2716,8 +2717,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2728,12 +2729,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", + "check": "$.iat", "is present": "true" } ] @@ -2746,8 +2747,8 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2758,12 +2759,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.iss", "is present": "true" } ] @@ -2776,8 +2777,8 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2788,12 +2789,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.jwks", "is present": "true" } ] @@ -2806,8 +2807,8 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2818,12 +2819,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", + "check": "$.metadata", "is present": "true" } ] @@ -2836,8 +2837,8 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2848,12 +2849,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.sub", "is present": "true" } ] @@ -2866,8 +2867,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2878,12 +2879,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "check": "$.trust_marks", "is present": "true" } ] @@ -2896,24 +2897,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "check": "$.aud", "is present": "true" } ] @@ -2926,24 +2927,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", + "check": "$.exp", "is present": "true" } ] @@ -2956,24 +2957,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'grant_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", + "check": "$.iat", "is present": "true" } ] @@ -2986,24 +2987,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", + "check": "$.jti", "is present": "true" } ] @@ -3016,24 +3017,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "check": "$.sub", "is present": "true" } ] @@ -3046,24 +3047,24 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "check": "$.iss", "is present": "true" } ] @@ -3076,26 +3077,22 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" - } + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" ] } ] @@ -3106,8 +3103,8 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -3123,8 +3120,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3136,8 +3138,8 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" @@ -3153,8 +3155,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" + ] } ] } @@ -3166,8 +3170,8 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -3183,8 +3187,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3196,8 +3205,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -3208,15 +3217,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is present": "true" - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -3226,27 +3229,21 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_RP" } ] } @@ -3256,8 +3253,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ "s1" @@ -3273,8 +3270,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] } ] } @@ -3286,8 +3285,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" @@ -3303,8 +3302,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is present": "true" + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -3316,8 +3318,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -3333,8 +3335,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -3346,8 +3351,8 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" @@ -3363,12 +3368,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -3381,8 +3384,8 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -3398,9 +3401,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" ] } ] @@ -3413,8 +3417,8 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" @@ -3430,12 +3434,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" ] } ] @@ -3448,32 +3449,27 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -3486,27 +3482,27 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", "is in": [ - "consent", - "consent login" + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -3519,31 +3515,27 @@ }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" + "RS256", + "RS512" ] } ] @@ -3556,29 +3548,26 @@ }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" ] } ] @@ -3591,8 +3580,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -3600,12 +3589,12 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_RP" + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -3615,21 +3604,32 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "jwt check sig": "X_key_core_RP" + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Authentication request-JWT-header-alg.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Authentication request-JWT-header-alg-not_in_value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Authentication request-JWT-header-alg.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Authentication request-JWT-header-alg-not_in_value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Authentication request-JWT-client_id-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Authentication request-JWT-header-client_id-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Authentication request-JWT-client_id-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Authentication request-JWT-header-client_id-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Token response-Assertion-aud-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Token response-Assertion-aud-type.json deleted file mode 100644 index f47f55d..0000000 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Token response-Assertion-aud-type.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "test suite": { - "name": "Single test", - "description": "One test only", - "filter messages": true - }, - "tests": [ - { - "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token response", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" - } - ] - } - ] - } - ], - "result": [ - "s1" - ] - } - } - ] -} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json index 8e3fdda..76fc8af 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json @@ -7,32 +7,25 @@ "tests": [ { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -44,32 +37,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -81,32 +67,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -118,32 +97,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -155,32 +127,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -192,32 +157,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -229,8 +187,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -241,20 +199,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -266,8 +217,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -278,20 +229,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -303,32 +247,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -340,32 +277,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -377,32 +307,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -414,32 +337,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -451,32 +367,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -488,32 +397,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -525,32 +427,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -562,32 +457,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -599,32 +487,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -636,32 +517,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -673,32 +547,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -710,32 +577,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -747,32 +607,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does entity configuration SA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_SA" } ] } @@ -784,34 +637,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -821,34 +660,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -858,34 +683,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -895,34 +706,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -932,34 +729,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -969,8 +752,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -978,25 +761,11 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "decode operations": [ + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1006,34 +775,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1043,32 +798,49 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1080,8 +852,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -1092,20 +864,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1117,32 +883,53 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -1154,32 +941,53 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -1836,66 +1644,12 @@ "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response SA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -1905,15 +1659,15 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1922,8 +1676,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "check": "$.trust_marks", + "is present": "true" } ] } @@ -1935,20 +1689,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] + } + ] } ] } @@ -1958,20 +1726,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -1981,8 +1763,8 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1993,14 +1775,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -2012,26 +1800,32 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -2043,25 +1837,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -2073,25 +1874,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -2103,25 +1911,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -2133,25 +1948,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2163,25 +1985,32 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2193,25 +2022,32 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2223,8 +2059,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -2235,13 +2071,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -2253,8 +2096,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2265,13 +2108,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2283,25 +2133,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2313,25 +2170,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2343,25 +2207,32 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2373,20 +2244,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] } ] } @@ -2396,20 +2281,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] + } + ] } ] } @@ -2419,20 +2318,34 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -2442,8 +2355,8 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2451,11 +2364,25 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -2465,20 +2392,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -2488,20 +2429,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -2511,25 +2466,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -2541,25 +2503,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -2571,25 +2540,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2601,25 +2577,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2631,25 +2614,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2661,25 +2651,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -2691,25 +2688,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2721,25 +2725,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2751,25 +2762,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2781,15 +2799,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -2803,8 +2821,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + "check": "tos_uri", + "is present": "true" } ] } @@ -2818,15 +2836,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -2840,8 +2858,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "check": "iss", + "is present": "true" } ] } @@ -2855,8 +2873,32 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_SA" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" @@ -2867,22 +2909,9 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2892,34 +2921,21 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2929,8 +2945,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" @@ -2951,8 +2967,11 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "check": "organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -2961,20 +2980,22 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the Trust Mark contain the correct type of email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -2984,12 +3005,15 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "check": "organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -2998,39 +3022,28 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -3040,8 +3053,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -3058,12 +3071,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -3077,8 +3090,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -3100,7 +3113,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -3114,8 +3127,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -3137,7 +3150,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -3151,8 +3164,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -3169,12 +3182,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -3188,8 +3201,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -3211,7 +3224,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -3225,8 +3238,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3248,7 +3261,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -3262,8 +3275,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3280,12 +3293,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -3299,8 +3312,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3317,12 +3330,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -3336,8 +3349,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3359,7 +3372,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -3373,8 +3386,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -3396,7 +3409,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -3410,15 +3423,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3428,12 +3441,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -3447,15 +3460,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3470,7 +3483,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -3484,15 +3497,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3502,12 +3515,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -3521,15 +3534,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3544,7 +3557,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -3558,15 +3571,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3581,7 +3594,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -3595,15 +3608,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3613,12 +3626,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -3632,15 +3645,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3650,12 +3663,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -3669,8 +3682,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -3687,12 +3700,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -3706,8 +3719,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -3729,7 +3742,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -3743,8 +3756,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -3766,7 +3779,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -3780,8 +3793,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -3798,12 +3811,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -3817,8 +3830,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -3840,7 +3853,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -3854,8 +3867,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3877,7 +3890,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -3891,8 +3904,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3909,12 +3922,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -3928,8 +3941,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3946,12 +3959,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -3965,8 +3978,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3988,7 +4001,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -4002,8 +4015,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -4025,7 +4038,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -4039,53 +4052,32 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA OP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -4097,53 +4089,32 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -4155,15 +4126,15 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -4173,15 +4144,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -4190,15 +4158,13 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -4219,11 +4185,8 @@ "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -4232,28 +4195,39 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } + ] + } + ] } ] } @@ -4263,21 +4237,34 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } + ] + } + ] } ] } @@ -4287,8 +4274,8 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -4299,9 +4286,22 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } + ] + } + ] } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json index 8e3fdda..76fc8af 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json @@ -7,32 +7,25 @@ "tests": [ { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -44,32 +37,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -81,32 +67,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -118,32 +97,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -155,32 +127,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -192,32 +157,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -229,8 +187,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -241,20 +199,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -266,8 +217,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -278,20 +229,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -303,32 +247,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -340,32 +277,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -377,32 +307,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -414,32 +337,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -451,32 +367,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -488,32 +397,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -525,32 +427,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -562,32 +457,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -599,32 +487,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -636,32 +517,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -673,32 +547,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -710,32 +577,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -747,32 +607,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does entity configuration SA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_SA" } ] } @@ -784,34 +637,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -821,34 +660,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -858,34 +683,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -895,34 +706,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -932,34 +729,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -969,8 +752,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -978,25 +761,11 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "decode operations": [ + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1006,34 +775,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1043,32 +798,49 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1080,8 +852,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -1092,20 +864,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1117,32 +883,53 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -1154,32 +941,53 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -1836,66 +1644,12 @@ "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response SA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -1905,15 +1659,15 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -1922,8 +1676,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "check": "$.trust_marks", + "is present": "true" } ] } @@ -1935,20 +1689,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] + } + ] } ] } @@ -1958,20 +1726,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -1981,8 +1763,8 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1993,14 +1775,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -2012,26 +1800,32 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -2043,25 +1837,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -2073,25 +1874,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -2103,25 +1911,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -2133,25 +1948,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2163,25 +1985,32 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2193,25 +2022,32 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2223,8 +2059,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -2235,13 +2071,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -2253,8 +2096,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2265,13 +2108,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2283,25 +2133,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2313,25 +2170,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2343,25 +2207,32 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2373,20 +2244,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] } ] } @@ -2396,20 +2281,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] + } + ] } ] } @@ -2419,20 +2318,34 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -2442,8 +2355,8 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2451,11 +2364,25 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -2465,20 +2392,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -2488,20 +2429,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -2511,25 +2466,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -2541,25 +2503,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -2571,25 +2540,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2601,25 +2577,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2631,25 +2614,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2661,25 +2651,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -2691,25 +2688,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2721,25 +2725,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2751,25 +2762,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2781,15 +2799,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -2803,8 +2821,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + "check": "tos_uri", + "is present": "true" } ] } @@ -2818,15 +2836,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -2840,8 +2858,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "check": "iss", + "is present": "true" } ] } @@ -2855,8 +2873,32 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_SA" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" @@ -2867,22 +2909,9 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2892,34 +2921,21 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2929,8 +2945,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" @@ -2951,8 +2967,11 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "check": "organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -2961,20 +2980,22 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the Trust Mark contain the correct type of email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -2984,12 +3005,15 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "check": "organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -2998,39 +3022,28 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -3040,8 +3053,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -3058,12 +3071,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -3077,8 +3090,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -3100,7 +3113,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -3114,8 +3127,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -3137,7 +3150,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -3151,8 +3164,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -3169,12 +3182,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -3188,8 +3201,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -3211,7 +3224,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -3225,8 +3238,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3248,7 +3261,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -3262,8 +3275,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3280,12 +3293,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -3299,8 +3312,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3317,12 +3330,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -3336,8 +3349,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3359,7 +3372,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -3373,8 +3386,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -3396,7 +3409,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -3410,15 +3423,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3428,12 +3441,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -3447,15 +3460,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3470,7 +3483,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -3484,15 +3497,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3502,12 +3515,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -3521,15 +3534,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3544,7 +3557,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -3558,15 +3571,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3581,7 +3594,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -3595,15 +3608,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3613,12 +3626,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -3632,15 +3645,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -3650,12 +3663,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -3669,8 +3682,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -3687,12 +3700,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -3706,8 +3719,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -3729,7 +3742,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -3743,8 +3756,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -3766,7 +3779,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -3780,8 +3793,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -3798,12 +3811,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -3817,8 +3830,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -3840,7 +3853,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -3854,8 +3867,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3877,7 +3890,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -3891,8 +3904,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3909,12 +3922,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -3928,8 +3941,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3946,12 +3959,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -3965,8 +3978,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3988,7 +4001,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -4002,8 +4015,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -4025,7 +4038,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -4039,53 +4052,32 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA OP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -4097,53 +4089,32 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -4155,15 +4126,15 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -4173,15 +4144,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -4190,15 +4158,13 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -4219,11 +4185,8 @@ "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -4232,28 +4195,39 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } + ] + } + ] } ] } @@ -4263,21 +4237,34 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } + ] + } + ] } ] } @@ -4287,8 +4274,8 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -4299,9 +4286,22 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } + ] + } + ] } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json index b5bf5f3..db33e32 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" @@ -19,19 +19,16 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", + "is subset of": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" ] } ] @@ -44,8 +41,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" @@ -56,19 +53,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is subset of": [ + "S256" ] } ] @@ -81,8 +73,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" @@ -93,19 +85,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", + "is subset of": [ + "refresh_token", + "authorization_code" ] } ] @@ -118,8 +106,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -130,19 +118,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -155,8 +139,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -167,19 +151,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } + "in": "payload", + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -192,8 +172,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -204,19 +184,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -229,8 +205,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" @@ -241,19 +217,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" ] } ] @@ -266,8 +238,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" @@ -278,19 +250,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" ] } ] @@ -303,8 +270,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -315,19 +282,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" ] } ] @@ -340,8 +302,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" @@ -352,19 +314,17 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" ] } ] @@ -377,8 +337,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" @@ -389,19 +349,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" ] } ] @@ -414,8 +369,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -426,19 +381,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" ] } ] @@ -451,8 +401,8 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -463,19 +413,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -488,8 +434,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -500,19 +446,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -525,8 +467,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -537,19 +479,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -562,8 +500,8 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -574,19 +512,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -599,8 +533,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" @@ -611,19 +545,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" ] } ] @@ -636,8 +565,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" @@ -648,19 +577,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" ] } ] @@ -673,8 +598,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -685,19 +610,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" ] } ] @@ -710,8 +630,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -722,19 +642,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -747,8 +663,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -759,19 +675,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" ] } ] @@ -784,8 +695,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -796,19 +707,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" ] } ] @@ -821,8 +727,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" @@ -833,19 +739,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" ] } ] @@ -858,8 +759,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -870,19 +771,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -895,8 +792,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -907,19 +804,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" ] } ] @@ -932,8 +824,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -944,19 +836,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -969,31 +857,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" ] } ] @@ -1006,31 +889,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" ] } ] @@ -1043,31 +921,27 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" ] } ] @@ -1080,31 +954,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -1117,31 +987,27 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -1154,31 +1020,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -1191,8 +1053,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" @@ -1203,19 +1065,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" ] } ] @@ -1228,15 +1085,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1245,8 +1102,11 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -1258,15 +1118,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1275,8 +1135,11 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -1288,15 +1151,15 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1305,8 +1168,11 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -1318,15 +1184,15 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1335,8 +1201,10 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1348,15 +1216,15 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1365,8 +1233,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1378,15 +1251,15 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1395,8 +1268,13 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1408,15 +1286,15 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1425,8 +1303,10 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1438,15 +1318,15 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1455,8 +1335,13 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1468,15 +1353,15 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1485,8 +1370,13 @@ "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1498,15 +1388,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -1515,8 +1405,10 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1528,15 +1420,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -1545,8 +1437,13 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1558,15 +1455,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -1575,8 +1472,10 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1588,15 +1487,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -1605,8 +1504,13 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1618,15 +1522,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1635,8 +1539,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1648,15 +1554,15 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1665,8 +1571,13 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1678,15 +1589,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1695,8 +1606,10 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1708,15 +1621,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1725,8 +1638,13 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1738,15 +1656,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1755,8 +1673,11 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -1768,8 +1689,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" @@ -1785,8 +1706,11 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -1798,15 +1722,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1815,8 +1739,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1828,15 +1752,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1845,8 +1769,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1858,15 +1782,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1875,8 +1799,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1888,25 +1812,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1918,25 +1842,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1948,15 +1872,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1965,8 +1889,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -1978,15 +1902,15 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1995,8 +1919,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -2008,21 +1932,27 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -2032,15 +1962,15 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2049,8 +1979,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -2062,20 +1992,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + } + ] } ] } @@ -2085,20 +2022,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -2108,8 +2052,8 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2122,12 +2066,11 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2139,26 +2082,25 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2170,15 +2112,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2187,8 +2129,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2200,15 +2142,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2217,8 +2159,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -2230,15 +2172,15 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2247,8 +2189,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2260,25 +2202,25 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2290,25 +2232,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -2320,15 +2262,15 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2337,8 +2279,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -2350,15 +2292,15 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2367,8 +2309,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2380,8 +2322,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2397,8 +2339,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2410,8 +2352,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2427,8 +2369,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2440,8 +2382,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2457,8 +2399,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2470,8 +2412,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2487,7 +2429,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] @@ -2500,8 +2442,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2517,7 +2459,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] @@ -2530,8 +2472,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" @@ -2547,8 +2489,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -2560,15 +2502,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -2577,7 +2519,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "check": "$.metadata_policy.openid_relying_party.grant_types", "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] @@ -2590,15 +2532,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -2607,8 +2549,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } @@ -2620,25 +2562,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -2650,25 +2592,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -2680,25 +2622,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -2710,25 +2652,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -2740,25 +2682,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -2770,25 +2712,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -2800,25 +2742,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -2830,25 +2772,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -2860,25 +2802,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -2890,25 +2832,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.constraints.max_path_length", + "is present": "true" } ] } @@ -2920,8 +2862,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -2932,13 +2874,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "is present": "true" } ] } @@ -2950,25 +2892,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "is present": "true" } ] } @@ -2980,25 +2922,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "is present": "true" } ] } @@ -3010,20 +2952,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -3033,20 +2982,27 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -3056,8 +3012,8 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3065,11 +3021,18 @@ "operations": [ { "message type": "Entity Statement response TA OP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -3079,20 +3042,27 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "is present": "true" + } + ] } ] } @@ -3102,20 +3072,27 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "is present": "true" + } + ] } ] } @@ -3125,20 +3102,27 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "is present": "true" + } + ] } ] } @@ -3148,20 +3132,27 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", + "is present": "true" + } + ] } ] } @@ -3171,20 +3162,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -3194,8 +3192,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -3206,15 +3204,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is present": "true" } ] } @@ -3226,8 +3222,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -3238,18 +3234,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is present": "true" } ] } @@ -3261,8 +3252,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" @@ -3273,18 +3264,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is present": "true" } ] } @@ -3296,8 +3282,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -3308,15 +3294,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "is present": "true" } ] } @@ -3328,8 +3312,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" @@ -3340,18 +3324,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -3363,30 +3342,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is present": "true" } ] } @@ -3398,8 +3372,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3410,15 +3384,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "is present": "true" } ] } @@ -3430,8 +3402,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -3442,18 +3414,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" } ] } @@ -3465,8 +3432,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3477,15 +3444,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -3497,8 +3462,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3509,18 +3474,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is present": "true" } ] } @@ -3532,27 +3492,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is present": "true" } ] } @@ -3564,30 +3522,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -3599,27 +3552,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -3631,30 +3582,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is present": "true" } ] } @@ -3666,15 +3612,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3683,7 +3629,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", "is present": "true" } ] @@ -3696,15 +3642,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3713,7 +3659,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -3726,15 +3672,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3743,7 +3689,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -3756,15 +3702,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3773,7 +3719,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -3786,15 +3732,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3803,7 +3749,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -3816,15 +3762,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3833,7 +3779,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -3846,15 +3792,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3863,7 +3809,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -3876,15 +3822,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3893,7 +3839,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -3906,15 +3852,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3923,7 +3869,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -3936,8 +3882,8 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does entity configuration TA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -3948,13 +3894,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" + "check": "$.sub", + "is": "X_url_TA" } ] } @@ -3966,27 +3912,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -3996,27 +3935,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -4026,27 +3958,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4056,27 +3981,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -4086,8 +4004,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -4095,18 +4013,11 @@ "operations": [ { "message type": "Entity Statement response TA OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4116,27 +4027,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4146,27 +4050,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4176,27 +4073,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4206,27 +4096,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Public Keys History response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "is present": "true" - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -4236,27 +4119,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -4266,8 +4142,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -4278,13 +4154,14 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -4296,25 +4173,26 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -4326,24 +4204,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "check": "$.exp", "is present": "true" } ] @@ -4356,24 +4234,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "check": "$.iat", "is present": "true" } ] @@ -4386,24 +4264,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "check": "$.iss", "is present": "true" } ] @@ -4416,19 +4294,19 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { @@ -4446,24 +4324,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "check": "$.metadata", "is present": "true" } ] @@ -4476,24 +4354,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "check": "$.sub", "is present": "true" } ] @@ -4506,24 +4384,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.constraints", "is present": "true" } ] @@ -4536,24 +4414,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "check": "$.jwks", "is present": "true" } ] @@ -4566,24 +4444,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "check": "$.trust_mark_issuers", "is present": "true" } ] @@ -4596,24 +4474,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "check": "$.constraints", "is present": "true" } ] @@ -4626,24 +4504,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "check": "$.exp", "is present": "true" } ] @@ -4656,24 +4534,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "check": "$.iat", "is present": "true" } ] @@ -4686,24 +4564,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "check": "$.jwks", "is present": "true" } ] @@ -4716,24 +4594,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "check": "$.metadata_policy", "is present": "true" } ] @@ -4746,24 +4624,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.iss", "is present": "true" } ] @@ -4776,24 +4654,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "check": "$.sub", "is present": "true" } ] @@ -4806,24 +4684,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "check": "$.trust_marks", "is present": "true" } ] @@ -4836,24 +4714,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "check": "$.constraints", "is present": "true" } ] @@ -4866,24 +4744,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "check": "$.exp", "is present": "true" } ] @@ -4896,24 +4774,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "check": "$.iat", "is present": "true" } ] @@ -4926,24 +4804,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "check": "$.jwks", "is present": "true" } ] @@ -4956,24 +4834,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "check": "$.metadata_policy", "is present": "true" } ] @@ -4986,32 +4864,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -5023,32 +4894,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -5060,32 +4924,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -5097,32 +4954,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -5134,8 +4984,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5156,8 +5006,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + "check": "$.id_code.ipa_code", + "is present": "true" } ] } @@ -5171,8 +5021,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5193,8 +5043,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "check": "claims", + "is present": "true" } ] } @@ -5208,8 +5058,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5230,8 +5080,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "check": "email", + "is present": "true" } ] } @@ -5245,8 +5095,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5267,8 +5117,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + "check": "exp", + "is present": "true" } ] } @@ -5282,8 +5132,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5304,8 +5154,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + "check": "iat", + "is present": "true" } ] } @@ -5319,8 +5169,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5341,8 +5191,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + "check": "id", + "is present": "true" } ] } @@ -5356,8 +5206,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5378,8 +5228,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + "check": "logo_uri", + "is present": "true" } ] } @@ -5393,8 +5243,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5415,8 +5265,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + "check": "organization_name", + "is present": "true" } ] } @@ -5430,8 +5280,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5452,8 +5302,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + "check": "organization_type", + "is present": "true" } ] } @@ -5467,8 +5317,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5489,8 +5339,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + "check": "policy_uri", + "is present": "true" } ] } @@ -5504,8 +5354,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5526,8 +5376,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "check": "ref", + "is present": "true" } ] } @@ -5541,15 +5391,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -5563,8 +5413,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "check": "service_documentation", + "is present": "true" } ] } @@ -5578,15 +5428,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -5600,8 +5450,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "check": "sub", + "is present": "true" } ] } @@ -5615,15 +5465,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -5637,8 +5487,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "check": "tos_uri", + "is present": "true" } ] } @@ -5652,15 +5502,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -5674,8 +5524,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "check": "iss", + "is present": "true" } ] } @@ -5689,15 +5539,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -5711,8 +5561,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "check": "id_code", + "is present": "true" } ] } @@ -5726,8 +5576,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5748,8 +5598,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "check": "$.id_code.ipa_code", + "is present": "true" } ] } @@ -5763,8 +5613,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5785,8 +5635,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "check": "claims", + "is present": "true" } ] } @@ -5800,8 +5650,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5822,8 +5672,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + "check": "email", + "is present": "true" } ] } @@ -5837,8 +5687,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5859,8 +5709,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + "check": "exp", + "is present": "true" } ] } @@ -5874,8 +5724,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5896,8 +5746,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + "check": "iat", + "is present": "true" } ] } @@ -5911,8 +5761,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5933,8 +5783,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + "check": "id", + "is present": "true" } ] } @@ -5948,8 +5798,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5970,8 +5820,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + "check": "logo_uri", + "is present": "true" } ] } @@ -5985,8 +5835,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6007,8 +5857,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + "check": "organization_name", + "is present": "true" } ] } @@ -6022,8 +5872,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6044,8 +5894,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + "check": "organization_type", + "is present": "true" } ] } @@ -6059,8 +5909,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6081,8 +5931,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "check": "policy_uri", + "is present": "true" } ] } @@ -6096,15 +5946,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -6118,11 +5968,8 @@ "checks": [ { "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] + "check": "ref", + "is present": "true" } ] } @@ -6131,15 +5978,13 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6160,11 +6005,8 @@ "checks": [ { "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] + "check": "service_documentation", + "is present": "true" } ] } @@ -6173,35 +6015,36 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } ] } ] @@ -6214,26 +6057,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } ] } ] @@ -6246,27 +6094,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } ] } ] @@ -6279,27 +6131,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } ] } ] @@ -6312,27 +6168,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } ] } ] @@ -6345,30 +6205,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -6378,8 +6229,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" @@ -6392,16 +6243,7 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -6411,29 +6253,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -6443,8 +6277,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -6455,14 +6289,22 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } ] } ] @@ -6470,34 +6312,41 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } ] } ] @@ -6505,34 +6354,28 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -6542,26 +6385,59 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", - "type": "passive", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "iss", + "contains": "valid_iss" + } ] } ] @@ -6574,27 +6450,59 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", - "type": "passive", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "iss", + "contains": "valid_iss" + } ] } ] @@ -6607,8 +6515,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -6619,15 +6527,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -6640,8 +6552,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -6652,15 +6564,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -6673,8 +6589,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -6685,15 +6601,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -6706,26 +6626,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -6738,27 +6663,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } ] } ] @@ -6771,26 +6700,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -6803,27 +6737,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -6836,26 +6774,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -6868,26 +6811,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -6900,26 +6848,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -6932,27 +6885,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -6965,26 +6922,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -6997,27 +6959,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -7030,26 +6996,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -7062,26 +7033,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -7094,27 +7070,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -7127,27 +7107,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -7160,27 +7144,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -7193,27 +7181,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -7226,26 +7218,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } ] } ] @@ -7258,27 +7255,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -7291,27 +7292,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -7324,27 +7329,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -7357,27 +7366,31 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -7390,8 +7403,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -7402,15 +7415,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -7423,47 +7440,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", @@ -7471,10 +7461,9 @@ "decode param": "$.trust_marks[0].trust_mark", "checks": [ { - "use variable": "true", "in": "payload", - "check": "iss", - "contains": "valid_iss" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -7488,47 +7477,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", @@ -7536,10 +7498,9 @@ "decode param": "$.trust_marks[0].trust_mark", "checks": [ { - "use variable": "true", "in": "payload", - "check": "iss", - "contains": "valid_iss" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -7553,21 +7514,34 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] + } + ] } ] } @@ -7577,21 +7551,34 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] + } + ] } ] } @@ -7601,8 +7588,8 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" @@ -7613,9 +7600,22 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] + } + ] } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json index 53944a9..6068191 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" @@ -19,19 +19,16 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", + "is subset of": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" ] } ] @@ -44,8 +41,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" @@ -56,19 +53,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is subset of": [ + "S256" ] } ] @@ -81,8 +73,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" @@ -93,19 +85,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", + "is subset of": [ + "refresh_token", + "authorization_code" ] } ] @@ -118,8 +106,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -130,19 +118,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -155,8 +139,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -167,19 +151,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } + "in": "payload", + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -192,8 +172,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -204,19 +184,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -229,8 +205,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" @@ -241,19 +217,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" ] } ] @@ -266,8 +238,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" @@ -278,19 +250,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" ] } ] @@ -303,8 +270,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -315,19 +282,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" ] } ] @@ -340,8 +302,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" @@ -352,19 +314,17 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" ] } ] @@ -377,8 +337,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" @@ -389,19 +349,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" ] } ] @@ -414,8 +369,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -426,19 +381,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" ] } ] @@ -451,8 +401,8 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -463,19 +413,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -488,8 +434,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -500,19 +446,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -525,8 +467,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -537,19 +479,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -562,8 +500,8 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -574,19 +512,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -599,8 +533,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" @@ -611,19 +545,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" ] } ] @@ -636,8 +565,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" @@ -648,19 +577,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" ] } ] @@ -673,8 +598,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -685,19 +610,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" ] } ] @@ -710,8 +630,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -722,19 +642,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -747,8 +663,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -759,19 +675,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" ] } ] @@ -784,8 +695,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -796,19 +707,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" ] } ] @@ -821,8 +727,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" @@ -833,19 +739,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" ] } ] @@ -858,8 +759,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -870,19 +771,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -895,8 +792,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -907,19 +804,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" ] } ] @@ -932,8 +824,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -944,19 +836,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -969,31 +857,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" ] } ] @@ -1006,31 +889,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" ] } ] @@ -1043,31 +921,27 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" ] } ] @@ -1080,31 +954,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -1117,31 +987,27 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -1154,31 +1020,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -1191,8 +1053,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" @@ -1203,19 +1065,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" ] } ] @@ -1228,15 +1085,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1245,8 +1102,11 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -1258,15 +1118,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1275,8 +1135,11 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -1288,15 +1151,15 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1305,8 +1168,11 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -1318,15 +1184,15 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1335,8 +1201,10 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1348,15 +1216,15 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1365,8 +1233,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1378,15 +1251,15 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1395,8 +1268,13 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1408,15 +1286,15 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1425,8 +1303,10 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1438,15 +1318,15 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1455,8 +1335,13 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1468,15 +1353,15 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1485,8 +1370,13 @@ "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1498,15 +1388,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -1515,8 +1405,10 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1528,15 +1420,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -1545,8 +1437,13 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1558,15 +1455,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -1575,8 +1472,10 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1588,15 +1487,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -1605,8 +1504,13 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1618,15 +1522,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1635,8 +1539,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1648,15 +1554,15 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1665,8 +1571,13 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1678,15 +1589,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1695,8 +1606,10 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1708,15 +1621,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -1725,8 +1638,13 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1738,15 +1656,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1755,8 +1673,11 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -1768,8 +1689,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" @@ -1785,8 +1706,11 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -1798,15 +1722,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1815,8 +1739,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1828,15 +1752,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1845,8 +1769,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1858,15 +1782,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1875,8 +1799,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1888,25 +1812,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1918,25 +1842,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1948,15 +1872,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1965,8 +1889,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -1978,15 +1902,15 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -1995,8 +1919,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -2008,21 +1932,27 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -2032,15 +1962,15 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2049,8 +1979,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -2062,20 +1992,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + } + ] } ] } @@ -2085,20 +2022,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -2108,8 +2052,8 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2122,12 +2066,11 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2139,26 +2082,25 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2170,15 +2112,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2187,8 +2129,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2200,15 +2142,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2217,8 +2159,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -2230,15 +2172,15 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2247,8 +2189,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2260,25 +2202,25 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2290,25 +2232,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -2320,15 +2262,15 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2337,8 +2279,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -2350,15 +2292,15 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2367,8 +2309,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2380,8 +2322,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2397,8 +2339,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2410,8 +2352,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2427,8 +2369,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2440,8 +2382,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2457,8 +2399,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -2470,8 +2412,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2487,7 +2429,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] @@ -2500,8 +2442,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -2517,7 +2459,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] @@ -2530,8 +2472,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" @@ -2547,8 +2489,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -2560,15 +2502,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -2577,7 +2519,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "check": "$.metadata_policy.openid_relying_party.grant_types", "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] @@ -2590,15 +2532,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -2607,8 +2549,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } @@ -2620,25 +2562,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -2650,25 +2592,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -2680,25 +2622,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -2710,25 +2652,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -2740,25 +2682,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -2770,25 +2712,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -2800,25 +2742,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -2830,25 +2772,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -2860,25 +2802,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -2890,25 +2832,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.constraints.max_path_length", + "is present": "true" } ] } @@ -2920,8 +2862,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -2932,13 +2874,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "is present": "true" } ] } @@ -2950,25 +2892,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "is present": "true" } ] } @@ -2980,25 +2922,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "is present": "true" } ] } @@ -3010,20 +2952,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -3033,20 +2982,27 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -3056,8 +3012,8 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3065,11 +3021,18 @@ "operations": [ { "message type": "Entity Statement response TA OP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -3079,20 +3042,27 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "is present": "true" + } + ] } ] } @@ -3102,20 +3072,27 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "is present": "true" + } + ] } ] } @@ -3125,20 +3102,27 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "is present": "true" + } + ] } ] } @@ -3148,20 +3132,27 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", + "is present": "true" + } + ] } ] } @@ -3171,20 +3162,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is present": "true" + } + ] } ] } @@ -3194,8 +3192,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -3206,15 +3204,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is present": "true" } ] } @@ -3226,8 +3222,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -3238,18 +3234,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is present": "true" } ] } @@ -3261,8 +3252,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" @@ -3273,18 +3264,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is present": "true" } ] } @@ -3296,8 +3282,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -3308,15 +3294,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "is present": "true" } ] } @@ -3328,8 +3312,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" @@ -3340,18 +3324,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -3363,30 +3342,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is present": "true" } ] } @@ -3398,8 +3372,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3410,15 +3384,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "is present": "true" } ] } @@ -3430,8 +3402,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -3442,18 +3414,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" } ] } @@ -3465,8 +3432,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3477,15 +3444,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -3497,8 +3462,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3509,18 +3474,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is present": "true" } ] } @@ -3532,27 +3492,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is present": "true" } ] } @@ -3564,30 +3522,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -3599,27 +3552,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -3631,30 +3582,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is present": "true" } ] } @@ -3666,15 +3612,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3683,7 +3629,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", "is present": "true" } ] @@ -3696,15 +3642,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3713,7 +3659,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -3726,15 +3672,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3743,7 +3689,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -3756,15 +3702,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3773,7 +3719,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -3786,15 +3732,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3803,7 +3749,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -3816,15 +3762,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3833,7 +3779,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -3846,15 +3792,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3863,7 +3809,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -3876,15 +3822,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3893,7 +3839,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -3906,15 +3852,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3923,7 +3869,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -3936,8 +3882,8 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does entity configuration TA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -3948,13 +3894,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" + "check": "$.sub", + "is": "X_url_TA" } ] } @@ -3966,27 +3912,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -3996,27 +3935,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -4026,27 +3958,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4056,27 +3981,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -4086,8 +4004,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -4095,18 +4013,11 @@ "operations": [ { "message type": "Entity Statement response TA OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4116,27 +4027,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4146,27 +4050,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4176,27 +4073,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4206,27 +4096,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Public Keys History response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "is present": "true" - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -4236,27 +4119,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -4266,8 +4142,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -4278,13 +4154,14 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -4296,25 +4173,26 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -4326,24 +4204,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "check": "$.exp", "is present": "true" } ] @@ -4356,24 +4234,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "check": "$.iat", "is present": "true" } ] @@ -4386,24 +4264,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "check": "$.iss", "is present": "true" } ] @@ -4416,19 +4294,19 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { @@ -4446,24 +4324,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "check": "$.metadata", "is present": "true" } ] @@ -4476,24 +4354,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "check": "$.sub", "is present": "true" } ] @@ -4506,24 +4384,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.constraints", "is present": "true" } ] @@ -4536,24 +4414,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "check": "$.jwks", "is present": "true" } ] @@ -4566,24 +4444,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "check": "$.trust_mark_issuers", "is present": "true" } ] @@ -4596,24 +4474,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "check": "$.constraints", "is present": "true" } ] @@ -4626,24 +4504,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "check": "$.exp", "is present": "true" } ] @@ -4656,24 +4534,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "check": "$.iat", "is present": "true" } ] @@ -4686,24 +4564,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "check": "$.jwks", "is present": "true" } ] @@ -4716,24 +4594,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "check": "$.metadata_policy", "is present": "true" } ] @@ -4746,24 +4624,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.iss", "is present": "true" } ] @@ -4776,24 +4654,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "check": "$.sub", "is present": "true" } ] @@ -4806,24 +4684,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "check": "$.trust_marks", "is present": "true" } ] @@ -4836,24 +4714,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "check": "$.constraints", "is present": "true" } ] @@ -4866,24 +4744,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "check": "$.exp", "is present": "true" } ] @@ -4896,24 +4774,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "check": "$.iat", "is present": "true" } ] @@ -4926,24 +4804,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "check": "$.jwks", "is present": "true" } ] @@ -4956,24 +4834,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "check": "$.metadata_policy", "is present": "true" } ] @@ -4986,32 +4864,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -5023,32 +4894,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -5060,32 +4924,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -5097,32 +4954,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -5134,8 +4984,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5156,8 +5006,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + "check": "$.id_code.ipa_code", + "is present": "true" } ] } @@ -5171,8 +5021,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5193,8 +5043,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "check": "claims", + "is present": "true" } ] } @@ -5208,8 +5058,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5230,8 +5080,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "check": "email", + "is present": "true" } ] } @@ -5245,8 +5095,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5267,8 +5117,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + "check": "exp", + "is present": "true" } ] } @@ -5282,8 +5132,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5304,8 +5154,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + "check": "iat", + "is present": "true" } ] } @@ -5319,8 +5169,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5341,8 +5191,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + "check": "id", + "is present": "true" } ] } @@ -5356,8 +5206,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5378,8 +5228,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + "check": "logo_uri", + "is present": "true" } ] } @@ -5393,8 +5243,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5415,8 +5265,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + "check": "organization_name", + "is present": "true" } ] } @@ -5430,8 +5280,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5452,8 +5302,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + "check": "organization_type", + "is present": "true" } ] } @@ -5467,8 +5317,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5489,8 +5339,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + "check": "policy_uri", + "is present": "true" } ] } @@ -5504,8 +5354,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5526,8 +5376,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "check": "ref", + "is present": "true" } ] } @@ -5541,15 +5391,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -5563,8 +5413,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "check": "service_documentation", + "is present": "true" } ] } @@ -5578,15 +5428,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -5600,8 +5450,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "check": "sub", + "is present": "true" } ] } @@ -5615,15 +5465,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -5637,8 +5487,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "check": "tos_uri", + "is present": "true" } ] } @@ -5652,15 +5502,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -5674,8 +5524,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "check": "iss", + "is present": "true" } ] } @@ -5689,15 +5539,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -5711,8 +5561,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "check": "id_code", + "is present": "true" } ] } @@ -5726,8 +5576,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5748,8 +5598,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "check": "$.id_code.ipa_code", + "is present": "true" } ] } @@ -5763,8 +5613,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5785,8 +5635,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "check": "claims", + "is present": "true" } ] } @@ -5800,8 +5650,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5822,8 +5672,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + "check": "email", + "is present": "true" } ] } @@ -5837,8 +5687,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5859,8 +5709,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + "check": "exp", + "is present": "true" } ] } @@ -5874,8 +5724,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5896,8 +5746,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + "check": "iat", + "is present": "true" } ] } @@ -5911,8 +5761,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5933,8 +5783,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + "check": "id", + "is present": "true" } ] } @@ -5948,8 +5798,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -5970,8 +5820,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + "check": "logo_uri", + "is present": "true" } ] } @@ -5985,8 +5835,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6007,8 +5857,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + "check": "organization_name", + "is present": "true" } ] } @@ -6022,8 +5872,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6044,8 +5894,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + "check": "organization_type", + "is present": "true" } ] } @@ -6059,8 +5909,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6081,8 +5931,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "check": "policy_uri", + "is present": "true" } ] } @@ -6096,15 +5946,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -6118,11 +5968,8 @@ "checks": [ { "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] + "check": "ref", + "is present": "true" } ] } @@ -6131,15 +5978,13 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6160,11 +6005,8 @@ "checks": [ { "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] + "check": "service_documentation", + "is present": "true" } ] } @@ -6173,35 +6015,36 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } ] } ] @@ -6214,26 +6057,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } ] } ] @@ -6246,27 +6094,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } ] } ] @@ -6279,27 +6131,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } ] } ] @@ -6312,27 +6168,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } ] } ] @@ -6345,30 +6205,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -6378,8 +6229,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" @@ -6392,16 +6243,7 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -6411,29 +6253,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -6443,8 +6277,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -6455,14 +6289,22 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } ] } ] @@ -6470,34 +6312,41 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } ] } ] @@ -6505,34 +6354,28 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -6542,8 +6385,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -6554,14 +6397,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -6574,8 +6422,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -6586,15 +6434,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -6607,8 +6459,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -6619,15 +6471,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -6640,8 +6496,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" @@ -6652,15 +6508,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -6673,8 +6533,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6685,15 +6545,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } ] } ] @@ -6706,28 +6570,33 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] - } + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] + } ] } ] @@ -6738,27 +6607,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -6771,26 +6644,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -6803,27 +6681,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -6836,26 +6718,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -6868,26 +6755,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -6900,26 +6792,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -6932,27 +6829,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -6965,26 +6866,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -6997,27 +6903,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -7030,26 +6940,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -7062,26 +6977,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -7094,27 +7014,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -7127,27 +7051,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -7160,27 +7088,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } ] } ] @@ -7193,27 +7125,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -7226,26 +7162,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -7258,27 +7199,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -7291,27 +7236,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -7324,27 +7273,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -7357,27 +7310,31 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -7390,8 +7347,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" @@ -7402,15 +7359,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -7423,21 +7384,34 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] + } + ] } ] } @@ -7447,21 +7421,34 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] + } + ] } ] } @@ -7471,8 +7458,8 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" @@ -7483,9 +7470,22 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] + } + ] } ] } diff --git "a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/Entity Statement response TA OP | body | [^\\r\\n]* | payload | trust_marks | trust_mark | payload | | {\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}\").json" "b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/Entity Statement response TA OP | body | [^\\r\\n]* | payload | trust_marks | trust_mark | payload | | {\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}\").json" deleted file mode 100644 index e19310f..0000000 --- "a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/Entity Statement response TA OP | body | [^\\r\\n]* | payload | trust_marks | trust_mark | payload | | {\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}\").json" +++ /dev/null @@ -1,46 +0,0 @@ -{ - "test suite": { - "name": "Single test", - "description": "One test only", - "filter messages": true - }, - "tests": [ - { - "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response TA OP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$\u00a0| {\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}\")", - "json schema compliant": "var_10" - } - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - } - ] -} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-exposed.json deleted file mode 100644 index e7c9ff4..0000000 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-exposed.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "test suite": { - "name": "Single test", - "description": "One test only", - "filter messages": true - }, - "tests": [ - { - "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ - { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - } - ] -} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-sa_profile.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-sa_profile.json deleted file mode 100644 index 2d7edab..0000000 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-sa_profile.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "test suite": { - "name": "Single test", - "description": "One test only", - "filter messages": true - }, - "tests": [ - { - "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response TA OP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - } - ] -} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-exposed.json deleted file mode 100644 index 9e757c2..0000000 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-exposed.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "test suite": { - "name": "Single test", - "description": "One test only", - "filter messages": true - }, - "tests": [ - { - "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ - { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - } - ] -} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-sa_profile.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-sa_profile.json deleted file mode 100644 index 52da988..0000000 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-sa_profile.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "test suite": { - "name": "Single test", - "description": "One test only", - "filter messages": true - }, - "tests": [ - { - "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response TA RP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - } - ] -} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response TA-valid-trust_mark-status.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response TA-valid-trust_mark-status.json deleted file mode 100644 index 6fcf81d..0000000 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response TA-valid-trust_mark-status.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "test suite": { - "name": "Single test", - "description": "One test only", - "filter messages": true - }, - "tests": [ - { - "test": { - "name": "Does the Entity's trust mark status endpoint correctly response to valid Trust Marks", - "description": "In order to check if the trust mark status endpoint of a TA or SA correctly verifies valid trust marks, a valid trust mark can be sent to the endpoint and the response analyzed", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Trust Mark status response TA", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - } - ] -} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response TA-valid-trust_mark-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response TA-valid-trust_mark-value.json deleted file mode 100644 index 7c325c1..0000000 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response TA-valid-trust_mark-value.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "test suite": { - "name": "Single test", - "description": "One test only", - "filter messages": true - }, - "tests": [ - { - "test": { - "name": "Does the Entity's trust mark status endpoint correctly response to valid Trust Marks with claim 'active'", - "description": "In order to check if the trust mark status endpoint of a TA or SA correctly verifies valid trust marks, a valid trust mark can be sent to the endpoint and the response analyzed", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Trust Mark status response TA", - "checks": [ - { - "in": "body", - "check": "active", - "is": "true" - } - ] - } - ], - "result": "correct flow s1" - } - } - ] -} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response-valid-trust_mark-status.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response-valid-trust_mark-status.json deleted file mode 100644 index 958b748..0000000 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response-valid-trust_mark-status.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "test suite": { - "name": "Single test", - "description": "One test only", - "filter messages": true - }, - "tests": [ - { - "test": { - "name": "Does the Entity's trust mark status endpoint correctly response to valid Trust Marks", - "description": "In order to check if the trust mark status endpoint of a TA or SA correctly verifies valid trust marks, a valid trust mark can be sent to the endpoint and the response analyzed", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Trust Mark status response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - } - ] -} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response-valid-trust_mark-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response-valid-trust_mark-value.json deleted file mode 100644 index 555137b..0000000 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Trust Mark status response-valid-trust_mark-value.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "test suite": { - "name": "Single test", - "description": "One test only", - "filter messages": true - }, - "tests": [ - { - "test": { - "name": "Does the Entity's trust mark status endpoint correctly response to valid Trust Marks with claim 'active'", - "description": "In order to check if the trust mark status endpoint of a TA or SA correctly verifies valid trust marks, a valid trust mark can be sent to the endpoint and the response analyzed", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Trust Mark status response", - "checks": [ - { - "in": "body", - "check": "active", - "is": "true" - } - ] - } - ], - "result": "correct flow s1" - } - } - ] -} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/tbcheck/[NON ESISTE] OP-Userinfo response-JWS-payload-aud-presence.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/tbcheck/[NON ESISTE] OP-Userinfo response-JWS-payload-aud-presence.json deleted file mode 100644 index e87226d..0000000 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/tbcheck/[NON ESISTE] OP-Userinfo response-JWS-payload-aud-presence.json +++ /dev/null @@ -1,48 +0,0 @@ -//Non trovo questo test - non passato -{ - "test suite": { - "name": "Single test", - "description": "One test only", - "filter messages": true - }, - "tests": [ - { - "test": { - "name": "Does the UserInfo Response's JWS contain the aud parameter in the payload", - "description": "The JWS Token contained in the encrypted payload of the JWE in the UserInfo response body is taken and analyzed. If it contains the 'aud' parameter in the payload, then it is compliant with the specification", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "UserInfo response", - "decode operations": [ - { - "jwe decrypt": "X_key_jwe", - "from": "body", - "type": "jwt", - "decode param": "[^\\n\\r]*", - "decode operations": [ - { - "from": "jwt payload", - "decode param": "[^\\n\\r]*", - "force regex": true, - "type": "jwt", - "checks": [ - { - "in": "payload", - "check regex": "aud" - } - ] - } - ] - } - ] - } - ], - "result": "assert_only" - } - } - ] -} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/testplan.csv b/testplans/spid-cie-oidc/testplan.csv index 05a0532..f43054a 100644 --- a/testplans/spid-cie-oidc/testplan.csv +++ b/testplans/spid-cie-oidc/testplan.csv @@ -6,9 +6,9 @@ x,RP-Authentication request-code_challenge_method,Authentication Request's reque x,RP-Authentication request-JWT-acr_values,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the acr_values parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'acr_values' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | acr_values,"The JWT payload of the request parameter in the Authentication Request must contain the 'acr_values' parameter and It MUST be a string with the requested 'acr' values, each of them separated by a single space, appearing in order of preference. The supported values 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, o,RP-Authentication request-JWT-acr_values-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the acr_values parameter is present, it is a string with the requested 'acr' values separated by a single space and the values are among 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. Not compliant otherwise",JWT list values,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications",RP,,"Authentication request | url | request | payload | acr_values | [""https://www.spid.gov.it/SpidL1"", ""https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL3"", ""https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3"", ""https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3"", ""https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3""]","The JWT payload of the request parameter in the Authentication Request must contain the 'acr_values' parameter and It MUST be a string with the requested 'acr' values, each of them separated by a single space, appearing in order of preference. The supported values 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,RP-Authentication request-JWT-aud,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the aud parameter is present, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'aud' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | aud,The JWT content of the request parameter in the Authentication Request must contain the 'aud' parameter and it must be the OP identifier,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-client_id-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT in the request parameter contains the 'client_id' parameter identifying the RP, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP,"In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP",RP,Entity Configuration response RP | body | [^\r\n]* | payload | metadata.openid_relying_party.client_id,Authentication request | url | request | payload | client_id | client_id,The JWT content of the request parameter in the Authentication Request must contain the 'client_id' parameter. It MUST contain an HTTPS URL that uniquely identifies the RP.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,"The parameters client_id and response_type SHOULD be sent both as parameters in the HTTP request, and inside the request object.",FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-header-client_id-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT in the request parameter contains the 'client_id' parameter identifying the RP, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP,"In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP",RP,Entity Configuration response RP | body | [^\r\n]* | payload | metadata.openid_relying_party.client_id,Authentication request | url | request | payload | client_id | client_id,The JWT content of the request parameter in the Authentication Request must contain the 'client_id' parameter. It MUST contain an HTTPS URL that uniquely identifies the RP.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,"The parameters client_id and response_type SHOULD be sent both as parameters in the HTTP request, and inside the request object.",FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,RP-Authentication request-JWT-exp,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if present and before the current time, not compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'exp' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | exp,The JWT content of the request parameter in the Authentication Request must contain the 'exp' parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-header-alg,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT Header of the request parameter contains the alg parameter and its value does not corresponds to one among ['none', 'HS256', 'HS384', 'HS512'], not Compliant otherwise",JWT parameter not in value,Correct Input,Authentication request,Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request,"In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.",RP,,"Authentication request | url | request | header | alg | [""none"", ""HS256"", ""HS384"", ""HS512""]","The JWT Header of the request parameter in the Authentication Request must contain the 'alg' parameter, it must be set to one of the supported values for the OP metadata and must not be 'none' or a symmetric algorithm (MAC).",SPID_CIE_OIDC; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,"If it is not an alg supported by the OP, than it cannot verify the signature and there are 3 cases: 1. It is a algorithm not supported and the OP even trying to use the correct RP's public key cannot decrypt it, or +x,RP-Authentication request-JWT-header-alg-not_in_value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT Header of the request parameter contains the alg parameter and its value does not corresponds to one among ['none', 'HS256', 'HS384', 'HS512'], not Compliant otherwise",JWT parameter not in value,Correct Input,Authentication request,Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request,"In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.",RP,,"Authentication request | url | request | header | alg | [""none"", ""HS256"", ""HS384"", ""HS512""]","The JWT Header of the request parameter in the Authentication Request must contain the 'alg' parameter, it must be set to one of the supported values for the OP metadata and must not be 'none' or a symmetric algorithm (MAC).",SPID_CIE_OIDC; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,"If it is not an alg supported by the OP, than it cannot verify the signature and there are 3 cases: 1. It is a algorithm not supported and the OP even trying to use the correct RP's public key cannot decrypt it, or 2. It is a symmetric algorithm and the public key of the RP won't decrypt the signature 3. It is a symmetric algorithm and the public key of the RP is the correct key used to encrypt it In the first 2 cases the parameter is meaningless because the OP won't be able to decrypt the signature, in the latter we cannot rely on the secrecy of the process. The only interesting case is the third one",FALSE,x,,no,"[""s1""]",E,,P,P,passed, From d2cafe1f170a7c06f63a9234256dcb9f96f41480 Mon Sep 17 00:00:00 2001 From: marche271 Date: Tue, 9 Apr 2024 14:01:15 +0200 Subject: [PATCH 3/5] Handled [key,url]_ALL and new UIDs --- ...on response AA-metadata-op_policy_uri.json | 39 - ...etadata-authorization_endpoint-value.json} | 0 ...tion response-metadata-logo_uri-type.json} | 0 ...response-metadata-op_policy_uri-type.json} | 0 ...ation response-metadata-op_policy_uri.json | 8 +- ...tion response-metadata-resource-type.json} | 0 ...ity Configuration response-signature.json} | 0 ...ity Configuration response-sub-value.json} | 0 .../input/mig-t/tests/single/AA/All_AA.json | 566 +- .../mig-t/tests/single/AA/All_AA_Passive.json | 566 +- .../mig-t/tests/single/ALL_Session1.json | 19738 ++++++++-------- .../input/mig-t/tests/single/OP/All_OP.json | 9052 +++---- .../mig-t/tests/single/OP/All_OP_Passive.json | 2246 +- ...ity Configuration response-signature.json} | 0 ...ity Configuration response-sub-value.json} | 0 .../input/mig-t/tests/single/PASSIVE.json | 11960 +++++----- .../input/mig-t/tests/single/RP/All_RP.json | 2642 +-- .../mig-t/tests/single/RP/All_RP_Passive.json | 2282 +- ...ity Configuration response-signature.json} | 0 ...ity Configuration response-sub-value.json} | 0 .../input/mig-t/tests/single/SA/All_SA.json | 2242 +- .../mig-t/tests/single/SA/All_SA_Passive.json | 2242 +- ...tion response-metadata-logo_uri-type.json} | 0 ...ity Configuration response-signature.json} | 0 ...ity Configuration response-sub-value.json} | 0 ...ty Statement response OP-constraints.json} | 0 ...ntity Statement response OP-exp-type.json} | 0 ... SA-Entity Statement response OP-exp.json} | 0 ...ntity Statement response OP-iat-type.json} | 0 ... SA-Entity Statement response OP-iat.json} | 0 ...tity Statement response OP-iss-value.json} | 0 ... SA-Entity Statement response OP-iss.json} | 0 ...SA-Entity Statement response OP-jwks.json} | 0 ...tatement response OP-metadata_policy.json} | 0 ...Entity Statement response OP-release.json} | 0 ...tity Statement response OP-signature.json} | 0 ... SA-Entity Statement response OP-sub.json} | 0 ...t response OP-trust_mark-claims-type.json} | 0 ...tement response OP-trust_mark-claims.json} | 0 ...nt response OP-trust_mark-email-type.json} | 0 ...atement response OP-trust_mark-email.json} | 0 ...ment response OP-trust_mark-exp-type.json} | 0 ...Statement response OP-trust_mark-exp.json} | 0 ...ust_mark-fiscal_number-or-vat_number.json} | 0 ...ment response OP-trust_mark-iat-type.json} | 0 ...Statement response OP-trust_mark-iat.json} | 0 ... Statement response OP-trust_mark-id.json} | 0 ... response OP-trust_mark-id_code-type.json} | 0 ...ement response OP-trust_mark-id_code.json} | 0 ...response OP-trust_mark-ipa_code-type.json} | 0 ...ment response OP-trust_mark-ipa_code.json} | 0 ...ment response OP-trust_mark-iss-type.json} | 0 ...Statement response OP-trust_mark-iss.json} | 0 ...response OP-trust_mark-logo_uri-type.json} | 0 ...ment response OP-trust_mark-logo_uri.json} | 0 ...OP-trust_mark-organization_name-type.json} | 0 ...onse OP-trust_mark-organization_name.json} | 0 ...P-trust_mark-organization_type-value.json} | 0 ...onse OP-trust_mark-organization_type.json} | 0 ...sponse OP-trust_mark-policy_uri-type.json} | 0 ...nt response OP-trust_mark-policy_uri.json} | 0 ...ment response OP-trust_mark-ref-type.json} | 0 ...Statement response OP-trust_mark-ref.json} | 0 ...ponse OP-trust_mark-sa_profile-value.json} | 0 ...nt response OP-trust_mark-sa_profile.json} | 0 ...rust_mark-service_documentation-type.json} | 0 ... OP-trust_mark-service_documentation.json} | 0 ...ent response OP-trust_mark-signature.json} | 0 ...ment response OP-trust_mark-sub-type.json} | 0 ...Statement response OP-trust_mark-sub.json} | 0 ... response OP-trust_mark-tos_uri-type.json} | 0 ...ement response OP-trust_mark-tos_uri.json} | 0 ...ty Statement response OP-trust_marks.json} | 0 ...ty Statement response RP-constraints.json} | 0 ...ntity Statement response RP-exp-type.json} | 0 ... SA-Entity Statement response RP-exp.json} | 0 ...ntity Statement response RP-iat-type.json} | 0 ... SA-Entity Statement response RP-iat.json} | 0 ...tity Statement response RP-iss-value.json} | 0 ... SA-Entity Statement response RP-iss.json} | 0 ...SA-Entity Statement response RP-jwks.json} | 0 ...ent response RP-metadata_policy-jwks.json} | 0 ...tatement response RP-metadata_policy.json} | 0 ...Entity Statement response RP-release.json} | 0 ...tity Statement response RP-signature.json} | 0 ... SA-Entity Statement response RP-sub.json} | 0 ...t response RP-trust_mark-claims-type.json} | 0 ...tement response RP-trust_mark-claims.json} | 0 ...nt response RP-trust_mark-email-type.json} | 0 ...atement response RP-trust_mark-email.json} | 0 ...ment response RP-trust_mark-exp-type.json} | 0 ...Statement response RP-trust_mark-exp.json} | 0 ...ust_mark-fiscal_number-or-vat_number.json} | 0 ...Statement response RP-trust_mark-iat.json} | 0 ... Statement response RP-trust_mark-id.json} | 0 ... response RP-trust_mark-id_code-type.json} | 0 ...ement response RP-trust_mark-id_code.json} | 0 ...response RP-trust_mark-ipa_code-type.json} | 0 ...ment response RP-trust_mark-ipa_code.json} | 0 ...ment response RP-trust_mark-iss-type.json} | 0 ...Statement response RP-trust_mark-iss.json} | 0 ...response RP-trust_mark-logo_uri-type.json} | 0 ...ment response RP-trust_mark-logo_uri.json} | 0 ...RP-trust_mark-organization_name-type.json} | 0 ...onse RP-trust_mark-organization_name.json} | 0 ...P-trust_mark-organization_type-value.json} | 0 ...onse RP-trust_mark-organization_type.json} | 0 ...sponse RP-trust_mark-policy_uri-type.json} | 0 ...nt response RP-trust_mark-policy_uri.json} | 0 ...ment response RP-trust_mark-ref-type.json} | 0 ...Statement response RP-trust_mark-ref.json} | 0 ...ponse RP-trust_mark-sa_profile-value.json} | 0 ...nt response RP-trust_mark-sa_profile.json} | 0 ...rust_mark-service_documentation-type.json} | 0 ... RP-trust_mark-service_documentation.json} | 0 ...ent response RP-trust_mark-signature.json} | 0 ...ment response RP-trust_mark-sub-type.json} | 0 ...Statement response RP-trust_mark-sub.json} | 0 ... response RP-trust_mark-tos_uri-type.json} | 0 ...ement response RP-trust_mark-tos_uri.json} | 0 ...ty Statement response RP-trust_marks.json} | 0 ...Entity Statement response RP-exposed.json} | 0 .../input/mig-t/tests/single/TA/All_TA.json | 3064 +-- .../mig-t/tests/single/TA/All_TA_Passive.json | 3024 +-- ...figuration response-constraints-type.json} | 0 ...iguration response-constraints-value.json} | 0 ...y Configuration response-constraints.json} | 0 ...A-Entity Configuration response-jwks.json} | 0 ...iguration response-metadata-contacts.json} | 0 ...e-metadata-federation_fetch_endpoint.json} | 0 ...se-metadata-federation_list_endpoint.json} | 0 ...metadata-federation_resolve_endpoint.json} | 0 ...ederation_trust_mark_status_endpoint.json} | 0 ...ation response-metadata-homepage_uri.json} | 0 ...tion response-metadata-logo_uri-type.json} | 0 ...iguration response-metadata-logo_uri.json} | 0 ... response-metadata-organization_name.json} | 0 ...uration response-metadata-policy_uri.json} | 0 ...onfiguration response-metadata-value.json} | 0 ...ity Configuration response-signature.json} | 0 ...ity Configuration response-sub-value.json} | 0 ...ion response-trust_mark_issuers-type.json} | 0 ...uration response-trust_marks_issuers.json} | 0 ...ty Statement response OP-constraints.json} | 0 ... TA-Entity Statement response OP-exp.json} | 0 ... TA-Entity Statement response OP-iat.json} | 0 ... Statement response OP-id_code-value.json} | 0 ... TA-Entity Statement response OP-iss.json} | 0 ...TA-Entity Statement response OP-jwks.json} | 0 ...data_policy-acr_values_supported-key.json} | 0 ...ta_policy-acr_values_supported-value.json} | 0 ...response_iss_parameter_supported-key.json} | 0 ...sponse_iss_parameter_supported-value.json} | 0 ...ion_response_iss_parameter_supported.json} | 0 ...olicy-claims_parameter_supported-key.json} | 0 ...icy-claims_parameter_supported-value.json} | 0 ...ta_policy-claims_parameter_supported.json} | 0 ...ent_registration_types_supported-key.json} | 0 ...t_registration_types_supported-value.json} | 0 ...-client_registration_types_supported.json} | 0 ...code_challenge_methods_supported-key.json} | 0 ...de_challenge_methods_supported-value.json} | 0 ...ata_policy-grant_types_supported-key.json} | 0 ...a_policy-grant_types_supported-value.json} | 0 ..._encryption_alg_values_supported-key.json} | 0 ..._encryption_enc_values_supported-key.json} | 0 ...ncryption_enc_values_supported-value.json} | 0 ...ken_signing_alg_values_supported-key.json} | 0 ...n_signing_alg_values_supported-value.json} | 0 ...ncryption_alg_values_supported-value.json} | 0 ...n_signing_alg_values_supported-value.json} | 0 ...n_signing_alg_values_supported-value.json} | 0 ...ncryption_alg_values_supported-value.json} | 0 ...o_signing_alg_values_supported-value.json} | 0 ...ent response OP-metadata_policy-jwks.json} | 0 ...authentication_methods_supported-key.json} | 0 ...thentication_methods_supported-value.json} | 0 ...est_authentication_methods_supported.json} | 0 ...ion_signing_alg_values_supported-key.json} | 0 ...n_signing_alg_values_supported-value.json} | 0 ...ect_signing_alg_values_supported-key.json} | 0 ...t_signing_alg_values_supported-value.json} | 0 ...licy-request_parameter_supported-key.json} | 0 ...cy-request_parameter_supported-value.json} | 0 ...a_policy-request_parameter_supported.json} | 0 ..._policy-response_modes_supported-key.json} | 0 ...olicy-response_modes_supported-value.json} | 0 ..._policy-response_types_supported-key.json} | 0 ...olicy-response_types_supported-value.json} | 0 ..._endpoint_auth_methods_supported-key.json} | 0 ...ndpoint_auth_methods_supported-value.json} | 0 ...metadata_policy-scopes_supported-key.json} | 0 ...tadata_policy-scopes_supported-value.json} | 0 ...a_policy-subject_types_supported-key.json} | 0 ...policy-subject_types_supported-value.json} | 0 ..._endpoint_auth_methods_supported-key.json} | 0 ...ndpoint_auth_methods_supported-value.json} | 0 ...uth_signing_alg_values_supported-key.json} | 0 ...values_supported-not-supported-value.json} | 0 ...h_signing_alg_values_supported-value.json} | 0 ..._encryption_alg_values_supported-key.json} | 0 ...ncryption_alg_values_supported-value.json} | 0 ..._encryption_enc_values_supported-key.json} | 0 ...ncryption_enc_values_supported-value.json} | 0 ...nfo_signing_alg_values_supported-key.json} | 0 ...o_signing_alg_values_supported-value.json} | 0 ...tatement response OP-metadata_policy.json} | 0 ...Entity Statement response OP-release.json} | 0 ...tity Statement response OP-signature.json} | 0 ... TA-Entity Statement response OP-sub.json} | 0 ...t response OP-trust_mark-claims-type.json} | 0 ...tement response OP-trust_mark-claims.json} | 0 ...nt response OP-trust_mark-email-type.json} | 0 ...atement response OP-trust_mark-email.json} | 0 ...ment response OP-trust_mark-exp-type.json} | 0 ...Statement response OP-trust_mark-exp.json} | 0 ...ust_mark-fiscal_number-or-vat_number.json} | 0 ...ment response OP-trust_mark-iat-type.json} | 0 ...Statement response OP-trust_mark-iat.json} | 0 ... Statement response OP-trust_mark-id.json} | 0 ...ement response OP-trust_mark-id_code.json} | 0 ...response OP-trust_mark-ipa_code-type.json} | 0 ...esponse OP-trust_mark-ipa_code-value.json} | 0 ...ment response OP-trust_mark-ipa_code.json} | 0 ...ent response OP-trust_mark-iss-value.json} | 0 ...Statement response OP-trust_mark-iss.json} | 0 ...esponse OP-trust_mark-logo_uri-value.json} | 0 ...ment response OP-trust_mark-logo_uri.json} | 0 ...OP-trust_mark-organization_name-type.json} | 0 ...onse OP-trust_mark-organization_name.json} | 0 ...P-trust_mark-organization_type-value.json} | 0 ...onse OP-trust_mark-organization_type.json} | 0 ...sponse OP-trust_mark-policy_uri-type.json} | 0 ...nt response OP-trust_mark-policy_uri.json} | 0 ...ment response OP-trust_mark-ref-type.json} | 0 ...Statement response OP-trust_mark-ref.json} | 0 ...ponse OP-trust_mark-sa_profile-value.json} | 0 ...rust_mark-service_documentation-type.json} | 0 ... OP-trust_mark-service_documentation.json} | 0 ...ent response OP-trust_mark-signature.json} | 0 ...ent response OP-trust_mark-sub-value.json} | 0 ...Statement response OP-trust_mark-sub.json} | 0 ... response OP-trust_mark-tos_uri-type.json} | 0 ...ement response OP-trust_mark-tos_uri.json} | 0 ...ty Statement response OP-trust_marks.json} | 0 ...ty Statement response RP-constraints.json} | 0 ... TA-Entity Statement response RP-exp.json} | 0 ... TA-Entity Statement response RP-iat.json} | 0 ... Statement response RP-id_code-value.json} | 0 ... TA-Entity Statement response RP-iss.json} | 0 ...TA-Entity Statement response RP-jwks.json} | 0 ...policy-client_registration_types-key.json} | 0 ...licy-client_registration_types-value.json} | 0 ...e RP-metadata_policy-grant_types-key.json} | 0 ...RP-metadata_policy-grant_types-value.json} | 0 ...-id_token_encrypted_response_alg-key.json} | 0 ...d_token_encrypted_response_alg-value.json} | 0 ...-id_token_encrypted_response_enc-key.json} | 0 ...d_token_encrypted_response_enc-value.json} | 0 ...icy-id_token_signed_response_alg-key.json} | 0 ...y-id_token_signed_response_alg-value.json} | 0 ...d_token_encrypted_response_alg-value.json} | 0 ...t-id_token_signed_response_alg-value.json} | 0 ...serinfo_encrypted_response_alg-value.json} | 0 ...t-userinfo_signed_response_alg-value.json} | 0 ...ent response RP-metadata_policy-jwks.json} | 0 ...P-metadata_policy-response_types-key.json} | 0 ...metadata_policy-response_types-value.json} | 0 ...olicy-token_endpoint_auth_method-key.json} | 0 ...icy-token_endpoint_auth_method-value.json} | 0 ...-userinfo_encrypted_response_alg-key.json} | 0 ...serinfo_encrypted_response_alg-value.json} | 0 ...-userinfo_encrypted_response_enc-key.json} | 0 ...serinfo_encrypted_response_enc-value.json} | 0 ...icy-userinfo_signed_response_alg-key.json} | 0 ...y-userinfo_signed_response_alg-value.json} | 0 ...tatement response RP-metadata_policy.json} | 0 ...Entity Statement response RP-release.json} | 0 ...tity Statement response RP-signature.json} | 0 ... TA-Entity Statement response RP-sub.json} | 0 ...t response RP-trust_mark-claims-type.json} | 0 ...tement response RP-trust_mark-claims.json} | 0 ...nt response RP-trust_mark-email-type.json} | 0 ...atement response RP-trust_mark-email.json} | 0 ...ment response RP-trust_mark-exp-type.json} | 0 ...Statement response RP-trust_mark-exp.json} | 0 ...ust_mark-fiscal_number-or-vat_number.json} | 0 ...ment response RP-trust_mark-iat-type.json} | 0 ...Statement response RP-trust_mark-iat.json} | 0 ... Statement response RP-trust_mark-id.json} | 0 ...ement response RP-trust_mark-id_code.json} | 0 ...response RP-trust_mark-ipa_code-type.json} | 0 ...esponse RP-trust_mark-ipa_code-value.json} | 0 ...ment response RP-trust_mark-ipa_code.json} | 0 ...ent response RP-trust_mark-iss-value.json} | 0 ...Statement response RP-trust_mark-iss.json} | 0 ...esponse RP-trust_mark-logo_uri-value.json} | 0 ...ment response RP-trust_mark-logo_uri.json} | 0 ...RP-trust_mark-organization_name-type.json} | 0 ...onse RP-trust_mark-organization_name.json} | 0 ...P-trust_mark-organization_type-value.json} | 0 ...onse RP-trust_mark-organization_type.json} | 0 ...sponse RP-trust_mark-policy_uri-type.json} | 0 ...nt response RP-trust_mark-policy_uri.json} | 0 ...ment response RP-trust_mark-ref-type.json} | 0 ...Statement response RP-trust_mark-ref.json} | 0 ...ponse RP-trust_mark-sa_profile-value.json} | 0 ...rust_mark-service_documentation-type.json} | 0 ... RP-trust_mark-service_documentation.json} | 0 ...ent response RP-trust_mark-signature.json} | 0 ...ent response RP-trust_mark-sub-value.json} | 0 ...Statement response RP-trust_mark-sub.json} | 0 ... response RP-trust_mark-tos_uri-type.json} | 0 ...ement response RP-trust_mark-tos_uri.json} | 0 ...ty Statement response RP-trust_marks.json} | 0 ...policy-client_registration_types-key.json} | 0 ...licy-client_registration_types-value.json} | 0 ...e SA-metadata_policy-grant_types-key.json} | 0 ...SA-metadata_policy-grant_types-value.json} | 0 ...-id_token_encrypted_response_alg-key.json} | 0 ...d_token_encrypted_response_alg-value.json} | 0 ...-id_token_encrypted_response_enc-key.json} | 0 ...d_token_encrypted_response_enc-value.json} | 0 ...icy-id_token_signed_response_alg-key.json} | 0 ...y-id_token_signed_response_alg-value.json} | 0 ...d_token_encrypted_response_alg-value.json} | 0 ...t-id_token_signed_response_alg-value.json} | 0 ...serinfo_encrypted_response_alg-value.json} | 0 ...t-userinfo_signed_response_alg-value.json} | 0 ...A-metadata_policy-response_types-key.json} | 0 ...metadata_policy-response_types-value.json} | 0 ...olicy-token_endpoint_auth_method-key.json} | 0 ...icy-token_endpoint_auth_method-value.json} | 0 ...-userinfo_encrypted_response_alg-key.json} | 0 ...serinfo_encrypted_response_alg-value.json} | 0 ...-userinfo_encrypted_response_enc-key.json} | 0 ...serinfo_encrypted_response_enc-value.json} | 0 ...icy-userinfo_signed_response_alg-key.json} | 0 ...y-userinfo_signed_response_alg-value.json} | 0 ...nt response SA-trust_mark-sa_profile.json} | 0 ...Entity Statement response OP-exposed.json} | 0 ...Entity Statement response RP-exposed.json} | 0 testplans/spid-cie-oidc/testplan.csv | 1494 +- tools/testplan-to-mr/testplan-to-mr.py | 4 + 344 files changed, 30567 insertions(+), 30602 deletions(-) delete mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri.json rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/{AA-Entity Configuration response AA-metadata-authorization_endpoint-value.json => AA-Entity Configuration response-metadata-authorization_endpoint-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/{AA-Entity Configuration response AA-metadata-logo_uri-type.json => AA-Entity Configuration response-metadata-logo_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/{AA-Entity Configuration response AA-metadata-op_policy_uri-type.json => AA-Entity Configuration response-metadata-op_policy_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/{AA-Entity Configuration response AA-metadata-resource-type.json => AA-Entity Configuration response-metadata-resource-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/{AA-Entity Configuration response AA-signature.json => AA-Entity Configuration response-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/{AA-Entity Configuration response AA-sub-value.json => AA-Entity Configuration response-sub-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/{OP-Entity Configuration response OP-signature.json => OP-Entity Configuration response-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/{OP-Entity Configuration response OP-sub-value.json => OP-Entity Configuration response-sub-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/{RP-Entity Configuration response RP-signature.json => RP-Entity Configuration response-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/{RP-Entity Configuration response RP-sub-value.json => RP-Entity Configuration response-sub-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Configuration response SA-metadata-logo_uri-type.json => SA-Entity Configuration response-metadata-logo_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Configuration response SA-signature.json => SA-Entity Configuration response-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Configuration response SA-sub-value.json => SA-Entity Configuration response-sub-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-constraints.json => SA-Entity Statement response OP-constraints.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-exp-type.json => SA-Entity Statement response OP-exp-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-exp.json => SA-Entity Statement response OP-exp.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-iat-type.json => SA-Entity Statement response OP-iat-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-iat.json => SA-Entity Statement response OP-iat.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-iss-value.json => SA-Entity Statement response OP-iss-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-iss.json => SA-Entity Statement response OP-iss.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-jwks.json => SA-Entity Statement response OP-jwks.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-metadata_policy.json => SA-Entity Statement response OP-metadata_policy.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-release.json => SA-Entity Statement response OP-release.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-signature.json => SA-Entity Statement response OP-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-sub.json => SA-Entity Statement response OP-sub.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-claims-type.json => SA-Entity Statement response OP-trust_mark-claims-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-claims.json => SA-Entity Statement response OP-trust_mark-claims.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-email-type.json => SA-Entity Statement response OP-trust_mark-email-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-email.json => SA-Entity Statement response OP-trust_mark-email.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-exp-type.json => SA-Entity Statement response OP-trust_mark-exp-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-exp.json => SA-Entity Statement response OP-trust_mark-exp.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-fiscal_number-or-vat_number.json => SA-Entity Statement response OP-trust_mark-fiscal_number-or-vat_number.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-iat-type.json => SA-Entity Statement response OP-trust_mark-iat-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-iat.json => SA-Entity Statement response OP-trust_mark-iat.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-id.json => SA-Entity Statement response OP-trust_mark-id.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-id_code-type.json => SA-Entity Statement response OP-trust_mark-id_code-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-id_code.json => SA-Entity Statement response OP-trust_mark-id_code.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-ipa_code-type.json => SA-Entity Statement response OP-trust_mark-ipa_code-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-ipa_code.json => SA-Entity Statement response OP-trust_mark-ipa_code.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-iss-type.json => SA-Entity Statement response OP-trust_mark-iss-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-iss.json => SA-Entity Statement response OP-trust_mark-iss.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-logo_uri-type.json => SA-Entity Statement response OP-trust_mark-logo_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-logo_uri.json => SA-Entity Statement response OP-trust_mark-logo_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-organization_name-type.json => SA-Entity Statement response OP-trust_mark-organization_name-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-organization_name.json => SA-Entity Statement response OP-trust_mark-organization_name.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-organization_type-value.json => SA-Entity Statement response OP-trust_mark-organization_type-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-organization_type.json => SA-Entity Statement response OP-trust_mark-organization_type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-policy_uri-type.json => SA-Entity Statement response OP-trust_mark-policy_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-policy_uri.json => SA-Entity Statement response OP-trust_mark-policy_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-ref-type.json => SA-Entity Statement response OP-trust_mark-ref-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-ref.json => SA-Entity Statement response OP-trust_mark-ref.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-sa_profile-value.json => SA-Entity Statement response OP-trust_mark-sa_profile-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-sa_profile.json => SA-Entity Statement response OP-trust_mark-sa_profile.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-service_documentation-type.json => SA-Entity Statement response OP-trust_mark-service_documentation-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-service_documentation.json => SA-Entity Statement response OP-trust_mark-service_documentation.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-signature.json => SA-Entity Statement response OP-trust_mark-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-sub-type.json => SA-Entity Statement response OP-trust_mark-sub-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-sub.json => SA-Entity Statement response OP-trust_mark-sub.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-tos_uri-type.json => SA-Entity Statement response OP-trust_mark-tos_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_mark-tos_uri.json => SA-Entity Statement response OP-trust_mark-tos_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA OP-trust_marks.json => SA-Entity Statement response OP-trust_marks.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-constraints.json => SA-Entity Statement response RP-constraints.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-exp-type.json => SA-Entity Statement response RP-exp-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-exp.json => SA-Entity Statement response RP-exp.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-iat-type.json => SA-Entity Statement response RP-iat-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-iat.json => SA-Entity Statement response RP-iat.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-iss-value.json => SA-Entity Statement response RP-iss-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-iss.json => SA-Entity Statement response RP-iss.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-jwks.json => SA-Entity Statement response RP-jwks.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-metadata_policy-jwks.json => SA-Entity Statement response RP-metadata_policy-jwks.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-metadata_policy.json => SA-Entity Statement response RP-metadata_policy.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-release.json => SA-Entity Statement response RP-release.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-signature.json => SA-Entity Statement response RP-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-sub.json => SA-Entity Statement response RP-sub.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-claims-type.json => SA-Entity Statement response RP-trust_mark-claims-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-claims.json => SA-Entity Statement response RP-trust_mark-claims.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-email-type.json => SA-Entity Statement response RP-trust_mark-email-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-email.json => SA-Entity Statement response RP-trust_mark-email.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-exp-type.json => SA-Entity Statement response RP-trust_mark-exp-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-exp.json => SA-Entity Statement response RP-trust_mark-exp.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-fiscal_number-or-vat_number.json => SA-Entity Statement response RP-trust_mark-fiscal_number-or-vat_number.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-iat.json => SA-Entity Statement response RP-trust_mark-iat.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-id.json => SA-Entity Statement response RP-trust_mark-id.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-id_code-type.json => SA-Entity Statement response RP-trust_mark-id_code-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-id_code.json => SA-Entity Statement response RP-trust_mark-id_code.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-ipa_code-type.json => SA-Entity Statement response RP-trust_mark-ipa_code-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-ipa_code.json => SA-Entity Statement response RP-trust_mark-ipa_code.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-iss-type.json => SA-Entity Statement response RP-trust_mark-iss-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-iss.json => SA-Entity Statement response RP-trust_mark-iss.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-logo_uri-type.json => SA-Entity Statement response RP-trust_mark-logo_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-logo_uri.json => SA-Entity Statement response RP-trust_mark-logo_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-organization_name-type.json => SA-Entity Statement response RP-trust_mark-organization_name-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-organization_name.json => SA-Entity Statement response RP-trust_mark-organization_name.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-organization_type-value.json => SA-Entity Statement response RP-trust_mark-organization_type-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-organization_type.json => SA-Entity Statement response RP-trust_mark-organization_type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-policy_uri-type.json => SA-Entity Statement response RP-trust_mark-policy_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-policy_uri.json => SA-Entity Statement response RP-trust_mark-policy_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-ref-type.json => SA-Entity Statement response RP-trust_mark-ref-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-ref.json => SA-Entity Statement response RP-trust_mark-ref.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-sa_profile-value.json => SA-Entity Statement response RP-trust_mark-sa_profile-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-sa_profile.json => SA-Entity Statement response RP-trust_mark-sa_profile.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-service_documentation-type.json => SA-Entity Statement response RP-trust_mark-service_documentation-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-service_documentation.json => SA-Entity Statement response RP-trust_mark-service_documentation.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-signature.json => SA-Entity Statement response RP-trust_mark-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-sub-type.json => SA-Entity Statement response RP-trust_mark-sub-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-sub.json => SA-Entity Statement response RP-trust_mark-sub.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-tos_uri-type.json => SA-Entity Statement response RP-trust_mark-tos_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_mark-tos_uri.json => SA-Entity Statement response RP-trust_mark-tos_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Statement response SA RP-trust_marks.json => SA-Entity Statement response RP-trust_marks.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Fetch Entity Statement response SA RP-exposed.json => SA-Fetch Entity Statement response RP-exposed.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-constraints-type.json => TA-Entity Configuration response-constraints-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-constraints-value.json => TA-Entity Configuration response-constraints-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-constraints.json => TA-Entity Configuration response-constraints.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-jwks.json => TA-Entity Configuration response-jwks.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-metadata-contacts.json => TA-Entity Configuration response-metadata-contacts.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-metadata-federation_fetch_endpoint.json => TA-Entity Configuration response-metadata-federation_fetch_endpoint.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-metadata-federation_list_endpoint.json => TA-Entity Configuration response-metadata-federation_list_endpoint.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-metadata-federation_resolve_endpoint.json => TA-Entity Configuration response-metadata-federation_resolve_endpoint.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-metadata-federation_trust_mark_status_endpoint.json => TA-Entity Configuration response-metadata-federation_trust_mark_status_endpoint.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-metadata-homepage_uri.json => TA-Entity Configuration response-metadata-homepage_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-metadata-logo_uri-type.json => TA-Entity Configuration response-metadata-logo_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-metadata-logo_uri.json => TA-Entity Configuration response-metadata-logo_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-metadata-organization_name.json => TA-Entity Configuration response-metadata-organization_name.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-metadata-policy_uri.json => TA-Entity Configuration response-metadata-policy_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-metadata-value.json => TA-Entity Configuration response-metadata-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-signature.json => TA-Entity Configuration response-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-sub-value.json => TA-Entity Configuration response-sub-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-trust_marks_issuers-type.json => TA-Entity Configuration response-trust_mark_issuers-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response TA-trust_marks_issuers.json => TA-Entity Configuration response-trust_marks_issuers.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-constraints.json => TA-Entity Statement response OP-constraints.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-exp.json => TA-Entity Statement response OP-exp.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-iat.json => TA-Entity Statement response OP-iat.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-id_code-value.json => TA-Entity Statement response OP-id_code-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-iss.json => TA-Entity Statement response OP-iss.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-jwks.json => TA-Entity Statement response OP-jwks.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-acr_values_supported-key.json => TA-Entity Statement response OP-metadata_policy-acr_values_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-acr_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-acr_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported-key.json => TA-Entity Statement response OP-metadata_policy-authorization_response_iss_parameter_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported-value.json => TA-Entity Statement response OP-metadata_policy-authorization_response_iss_parameter_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported.json => TA-Entity Statement response OP-metadata_policy-authorization_response_iss_parameter_supported.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported-key.json => TA-Entity Statement response OP-metadata_policy-claims_parameter_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported-value.json => TA-Entity Statement response OP-metadata_policy-claims_parameter_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported.json => TA-Entity Statement response OP-metadata_policy-claims_parameter_supported.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-client_registration_types_supported-key.json => TA-Entity Statement response OP-metadata_policy-client_registration_types_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-client_registration_types_supported-value.json => TA-Entity Statement response OP-metadata_policy-client_registration_types_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-client_registration_types_supported.json => TA-Entity Statement response OP-metadata_policy-client_registration_types_supported.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-code_challenge_methods_supported-key.json => TA-Entity Statement response OP-metadata_policy-code_challenge_methods_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-code_challenge_methods_supported-value.json => TA-Entity Statement response OP-metadata_policy-code_challenge_methods_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-grant_types_supported-key.json => TA-Entity Statement response OP-metadata_policy-grant_types_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-grant_types_supported-value.json => TA-Entity Statement response OP-metadata_policy-grant_types_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_alg_values_supported-key.json => TA-Entity Statement response OP-metadata_policy-id_token_encryption_alg_values_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_enc_values_supported-key.json => TA-Entity Statement response OP-metadata_policy-id_token_encryption_enc_values_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_enc_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-id_token_encryption_enc_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-id_token_signing_alg_values_supported-key.json => TA-Entity Statement response OP-metadata_policy-id_token_signing_alg_values_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-id_token_signing_alg_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-id_token_signing_alg_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-incorrect-id_token_encryption_alg_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-incorrect-id_token_encryption_alg_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-incorrect-id_token_signing_alg_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-incorrect-id_token_signing_alg_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-incorrect-request_authentication_signing_alg_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-incorrect-request_authentication_signing_alg_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-incorrect-userinfo_encryption_alg_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-incorrect-userinfo_encryption_alg_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-incorrect-userinfo_signing_alg_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-incorrect-userinfo_signing_alg_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-jwks.json => TA-Entity Statement response OP-metadata_policy-jwks.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported-key.json => TA-Entity Statement response OP-metadata_policy-request_authentication_methods_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported-value.json => TA-Entity Statement response OP-metadata_policy-request_authentication_methods_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported.json => TA-Entity Statement response OP-metadata_policy-request_authentication_methods_supported.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-request_authentication_signing_alg_values_supported-key.json => TA-Entity Statement response OP-metadata_policy-request_authentication_signing_alg_values_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-request_authentication_signing_alg_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-request_authentication_signing_alg_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-request_object_signing_alg_values_supported-key.json => TA-Entity Statement response OP-metadata_policy-request_object_signing_alg_values_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-request_object_signing_alg_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-request_object_signing_alg_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported-key.json => TA-Entity Statement response OP-metadata_policy-request_parameter_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported-value.json => TA-Entity Statement response OP-metadata_policy-request_parameter_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported.json => TA-Entity Statement response OP-metadata_policy-request_parameter_supported.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-response_modes_supported-key.json => TA-Entity Statement response OP-metadata_policy-response_modes_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-response_modes_supported-value.json => TA-Entity Statement response OP-metadata_policy-response_modes_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-response_types_supported-key.json => TA-Entity Statement response OP-metadata_policy-response_types_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-response_types_supported-value.json => TA-Entity Statement response OP-metadata_policy-response_types_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-revocation_endpoint_auth_methods_supported-key.json => TA-Entity Statement response OP-metadata_policy-revocation_endpoint_auth_methods_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-revocation_endpoint_auth_methods_supported-value.json => TA-Entity Statement response OP-metadata_policy-revocation_endpoint_auth_methods_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-scopes_supported-key.json => TA-Entity Statement response OP-metadata_policy-scopes_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-scopes_supported-value.json => TA-Entity Statement response OP-metadata_policy-scopes_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-subject_types_supported-key.json => TA-Entity Statement response OP-metadata_policy-subject_types_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-subject_types_supported-value.json => TA-Entity Statement response OP-metadata_policy-subject_types_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_methods_supported-key.json => TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_methods_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_methods_supported-value.json => TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_methods_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-key.json => TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-not-supported-value.json => TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-not-supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_alg_values_supported-key.json => TA-Entity Statement response OP-metadata_policy-userinfo_encryption_alg_values_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_alg_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-userinfo_encryption_alg_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_enc_values_supported-key.json => TA-Entity Statement response OP-metadata_policy-userinfo_encryption_enc_values_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_enc_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-userinfo_encryption_enc_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-userinfo_signing_alg_values_supported-key.json => TA-Entity Statement response OP-metadata_policy-userinfo_signing_alg_values_supported-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy-userinfo_signing_alg_values_supported-value.json => TA-Entity Statement response OP-metadata_policy-userinfo_signing_alg_values_supported-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-metadata_policy.json => TA-Entity Statement response OP-metadata_policy.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-release.json => TA-Entity Statement response OP-release.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-signature.json => TA-Entity Statement response OP-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-sub.json => TA-Entity Statement response OP-sub.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-claims-type.json => TA-Entity Statement response OP-trust_mark-claims-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-claims.json => TA-Entity Statement response OP-trust_mark-claims.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-email-type.json => TA-Entity Statement response OP-trust_mark-email-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-email.json => TA-Entity Statement response OP-trust_mark-email.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-exp-type.json => TA-Entity Statement response OP-trust_mark-exp-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-exp.json => TA-Entity Statement response OP-trust_mark-exp.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-fiscal_number-or-vat_number.json => TA-Entity Statement response OP-trust_mark-fiscal_number-or-vat_number.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-iat-type.json => TA-Entity Statement response OP-trust_mark-iat-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-iat.json => TA-Entity Statement response OP-trust_mark-iat.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-id.json => TA-Entity Statement response OP-trust_mark-id.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-id_code.json => TA-Entity Statement response OP-trust_mark-id_code.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-ipa_code-type.json => TA-Entity Statement response OP-trust_mark-ipa_code-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-ipa_code-value.json => TA-Entity Statement response OP-trust_mark-ipa_code-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-ipa_code.json => TA-Entity Statement response OP-trust_mark-ipa_code.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-iss-value.json => TA-Entity Statement response OP-trust_mark-iss-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-iss.json => TA-Entity Statement response OP-trust_mark-iss.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-logo_uri-value.json => TA-Entity Statement response OP-trust_mark-logo_uri-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-logo_uri.json => TA-Entity Statement response OP-trust_mark-logo_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-organization_name-type.json => TA-Entity Statement response OP-trust_mark-organization_name-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-organization_name.json => TA-Entity Statement response OP-trust_mark-organization_name.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-organization_type-value.json => TA-Entity Statement response OP-trust_mark-organization_type-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-organization_type.json => TA-Entity Statement response OP-trust_mark-organization_type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-policy_uri-type.json => TA-Entity Statement response OP-trust_mark-policy_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-policy_uri.json => TA-Entity Statement response OP-trust_mark-policy_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-ref-type.json => TA-Entity Statement response OP-trust_mark-ref-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-ref.json => TA-Entity Statement response OP-trust_mark-ref.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-sa_profile-value.json => TA-Entity Statement response OP-trust_mark-sa_profile-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-service_documentation-type.json => TA-Entity Statement response OP-trust_mark-service_documentation-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-service_documentation.json => TA-Entity Statement response OP-trust_mark-service_documentation.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-signature.json => TA-Entity Statement response OP-trust_mark-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-sub-value.json => TA-Entity Statement response OP-trust_mark-sub-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-sub.json => TA-Entity Statement response OP-trust_mark-sub.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-tos_uri-type.json => TA-Entity Statement response OP-trust_mark-tos_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_mark-tos_uri.json => TA-Entity Statement response OP-trust_mark-tos_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA OP-trust_marks.json => TA-Entity Statement response OP-trust_marks.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-constraints.json => TA-Entity Statement response RP-constraints.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-exp.json => TA-Entity Statement response RP-exp.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-iat.json => TA-Entity Statement response RP-iat.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-id_code-value.json => TA-Entity Statement response RP-id_code-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-iss.json => TA-Entity Statement response RP-iss.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-jwks.json => TA-Entity Statement response RP-jwks.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-client_registration_types-key.json => TA-Entity Statement response RP-metadata_policy-client_registration_types-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-client_registration_types-value.json => TA-Entity Statement response RP-metadata_policy-client_registration_types-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-grant_types-key.json => TA-Entity Statement response RP-metadata_policy-grant_types-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-grant_types-value.json => TA-Entity Statement response RP-metadata_policy-grant_types-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_alg-key.json => TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_alg-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_alg-value.json => TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_enc-key.json => TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_enc-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_enc-value.json => TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_enc-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-id_token_signed_response_alg-key.json => TA-Entity Statement response RP-metadata_policy-id_token_signed_response_alg-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-id_token_signed_response_alg-value.json => TA-Entity Statement response RP-metadata_policy-id_token_signed_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-incorrect-id_token_encrypted_response_alg-value.json => TA-Entity Statement response RP-metadata_policy-incorrect-id_token_encrypted_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-incorrect-id_token_signed_response_alg-value.json => TA-Entity Statement response RP-metadata_policy-incorrect-id_token_signed_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-incorrect-userinfo_encrypted_response_alg-value.json => TA-Entity Statement response RP-metadata_policy-incorrect-userinfo_encrypted_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-incorrect-userinfo_signed_response_alg-value.json => TA-Entity Statement response RP-metadata_policy-incorrect-userinfo_signed_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-jwks.json => TA-Entity Statement response RP-metadata_policy-jwks.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-response_types-key.json => TA-Entity Statement response RP-metadata_policy-response_types-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-response_types-value.json => TA-Entity Statement response RP-metadata_policy-response_types-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-token_endpoint_auth_method-key.json => TA-Entity Statement response RP-metadata_policy-token_endpoint_auth_method-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-token_endpoint_auth_method-value.json => TA-Entity Statement response RP-metadata_policy-token_endpoint_auth_method-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_alg-key.json => TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_alg-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_alg-value.json => TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_enc-key.json => TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_enc-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_enc-value.json => TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_enc-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-userinfo_signed_response_alg-key.json => TA-Entity Statement response RP-metadata_policy-userinfo_signed_response_alg-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy-userinfo_signed_response_alg-value.json => TA-Entity Statement response RP-metadata_policy-userinfo_signed_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-metadata_policy.json => TA-Entity Statement response RP-metadata_policy.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-release.json => TA-Entity Statement response RP-release.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-signature.json => TA-Entity Statement response RP-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-sub.json => TA-Entity Statement response RP-sub.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-claims-type.json => TA-Entity Statement response RP-trust_mark-claims-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-claims.json => TA-Entity Statement response RP-trust_mark-claims.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-email-type.json => TA-Entity Statement response RP-trust_mark-email-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-email.json => TA-Entity Statement response RP-trust_mark-email.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-exp-type.json => TA-Entity Statement response RP-trust_mark-exp-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-exp.json => TA-Entity Statement response RP-trust_mark-exp.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-fiscal_number-or-vat_number.json => TA-Entity Statement response RP-trust_mark-fiscal_number-or-vat_number.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-iat-type.json => TA-Entity Statement response RP-trust_mark-iat-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-iat.json => TA-Entity Statement response RP-trust_mark-iat.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-id.json => TA-Entity Statement response RP-trust_mark-id.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-id_code.json => TA-Entity Statement response RP-trust_mark-id_code.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-ipa_code-type.json => TA-Entity Statement response RP-trust_mark-ipa_code-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-ipa_code-value.json => TA-Entity Statement response RP-trust_mark-ipa_code-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-ipa_code.json => TA-Entity Statement response RP-trust_mark-ipa_code.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-iss-value.json => TA-Entity Statement response RP-trust_mark-iss-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-iss.json => TA-Entity Statement response RP-trust_mark-iss.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-logo_uri-value.json => TA-Entity Statement response RP-trust_mark-logo_uri-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-logo_uri.json => TA-Entity Statement response RP-trust_mark-logo_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-organization_name-type.json => TA-Entity Statement response RP-trust_mark-organization_name-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-organization_name.json => TA-Entity Statement response RP-trust_mark-organization_name.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-organization_type-value.json => TA-Entity Statement response RP-trust_mark-organization_type-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-organization_type.json => TA-Entity Statement response RP-trust_mark-organization_type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-policy_uri-type.json => TA-Entity Statement response RP-trust_mark-policy_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-policy_uri.json => TA-Entity Statement response RP-trust_mark-policy_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-ref-type.json => TA-Entity Statement response RP-trust_mark-ref-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-ref.json => TA-Entity Statement response RP-trust_mark-ref.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-sa_profile-value.json => TA-Entity Statement response RP-trust_mark-sa_profile-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-service_documentation-type.json => TA-Entity Statement response RP-trust_mark-service_documentation-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-service_documentation.json => TA-Entity Statement response RP-trust_mark-service_documentation.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-signature.json => TA-Entity Statement response RP-trust_mark-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-sub-value.json => TA-Entity Statement response RP-trust_mark-sub-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-sub.json => TA-Entity Statement response RP-trust_mark-sub.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-tos_uri-type.json => TA-Entity Statement response RP-trust_mark-tos_uri-type.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_mark-tos_uri.json => TA-Entity Statement response RP-trust_mark-tos_uri.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA RP-trust_marks.json => TA-Entity Statement response RP-trust_marks.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-client_registration_types-key.json => TA-Entity Statement response SA-metadata_policy-client_registration_types-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-client_registration_types-value.json => TA-Entity Statement response SA-metadata_policy-client_registration_types-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-grant_types-key.json => TA-Entity Statement response SA-metadata_policy-grant_types-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-grant_types-value.json => TA-Entity Statement response SA-metadata_policy-grant_types-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_alg-key.json => TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_alg-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_alg-value.json => TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_enc-key.json => TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_enc-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_enc-value.json => TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_enc-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-id_token_signed_response_alg-key.json => TA-Entity Statement response SA-metadata_policy-id_token_signed_response_alg-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-id_token_signed_response_alg-value.json => TA-Entity Statement response SA-metadata_policy-id_token_signed_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-incorrect-id_token_encrypted_response_alg-value.json => TA-Entity Statement response SA-metadata_policy-incorrect-id_token_encrypted_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-incorrect-id_token_signed_response_alg-value.json => TA-Entity Statement response SA-metadata_policy-incorrect-id_token_signed_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-incorrect-userinfo_encrypted_response_alg-value.json => TA-Entity Statement response SA-metadata_policy-incorrect-userinfo_encrypted_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-incorrect-userinfo_signed_response_alg-value.json => TA-Entity Statement response SA-metadata_policy-incorrect-userinfo_signed_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-response_types-key.json => TA-Entity Statement response SA-metadata_policy-response_types-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-response_types-value.json => TA-Entity Statement response SA-metadata_policy-response_types-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-token_endpoint_auth_method-key.json => TA-Entity Statement response SA-metadata_policy-token_endpoint_auth_method-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-token_endpoint_auth_method-value.json => TA-Entity Statement response SA-metadata_policy-token_endpoint_auth_method-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_alg-key.json => TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_alg-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_alg-value.json => TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_enc-key.json => TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_enc-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_enc-value.json => TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_enc-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-userinfo_signed_response_alg-key.json => TA-Entity Statement response SA-metadata_policy-userinfo_signed_response_alg-key.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-metadata_policy-userinfo_signed_response_alg-value.json => TA-Entity Statement response SA-metadata_policy-userinfo_signed_response_alg-value.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Statement response TA SA-trust_mark-sa_profile.json => TA-Entity Statement response SA-trust_mark-sa_profile.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Fetch Entity Statement response TA OP-exposed.json => TA-Fetch Entity Statement response OP-exposed.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Fetch Entity Statement response TA RP-exposed.json => TA-Fetch Entity Statement response RP-exposed.json} (100%) diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri.json deleted file mode 100644 index d275c12..0000000 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "test suite": { - "name": "Single test", - "description": "One test only", - "filter messages": true - }, - "tests": [ - { - "test": { - "name": "Does the AA metadata contain op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response AA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$..metadata.openid_provider.op_policy_uri", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - } - ] -} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-authorization_endpoint-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-authorization_endpoint-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-authorization_endpoint-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-authorization_endpoint-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-logo_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-logo_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-logo_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-logo_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-op_policy_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-op_policy_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-op_policy_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-op_policy_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-op_policy_uri.json index f707d73..d275c12 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-op_policy_uri.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-op_policy_uri.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" @@ -19,12 +19,12 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "check": "$..metadata.openid_provider.op_policy_uri", "is present": "true" } ] diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-resource-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-resource-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-metadata-resource-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-resource-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-sub-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-sub-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response AA-sub-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-sub-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json index 5f61c7f..ca939e7 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -16,23 +16,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -42,8 +30,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -51,23 +39,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -77,8 +53,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -89,13 +65,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -107,8 +86,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -119,13 +98,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -137,8 +118,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -149,13 +130,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -167,8 +151,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -176,18 +160,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -197,8 +175,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -209,13 +187,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "is present": "true" } ] } @@ -227,8 +205,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -239,13 +217,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -257,8 +235,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -269,13 +247,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "is present": "true" } ] } @@ -287,8 +265,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -299,13 +277,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -317,8 +295,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -329,13 +307,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -347,8 +325,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -359,13 +337,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "is present": "true" } ] } @@ -377,8 +355,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -389,13 +367,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -407,8 +385,8 @@ }, { "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -424,7 +402,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "check": "$.metadata.oauth_authorization_server.issuer", "is present": "true" } ] @@ -437,8 +415,8 @@ }, { "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -454,7 +432,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.oauth_authorization_server.jwks", "is present": "true" } ] @@ -467,8 +445,8 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -484,7 +462,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -497,8 +475,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -514,7 +492,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.oauth_authorization_server.op_policy_uri", "is present": "true" } ] @@ -527,8 +505,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -544,7 +522,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.metadata.oauth_authorization_server.op_tos_uri", "is present": "true" } ] @@ -557,8 +535,8 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -574,7 +552,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -587,8 +565,8 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -604,7 +582,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -617,8 +595,8 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -634,7 +612,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", + "check": "$.metadata.oauth_resource.resource", "is present": "true" } ] @@ -647,8 +625,8 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -664,7 +642,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", + "check": "$.metadata.oauth_authorization_server.response_types_supported", "is present": "true" } ] @@ -677,8 +655,8 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -694,7 +672,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.oauth_authorization_server.scopes_supported", "is present": "true" } ] @@ -707,8 +685,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -724,7 +702,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "check": "$.metadata.oauth_authorization_server.token_endpoint", "is present": "true" } ] @@ -737,8 +715,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -754,7 +732,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -767,8 +745,8 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -784,7 +762,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -797,8 +775,8 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -806,18 +784,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -827,27 +798,20 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_resource.resource", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -857,8 +821,8 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -869,13 +833,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -887,8 +856,8 @@ }, { "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -899,13 +868,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -917,8 +891,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -929,13 +903,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" } ] } @@ -947,8 +921,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -959,13 +933,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -977,8 +951,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -989,13 +963,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -1007,8 +981,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -1019,13 +993,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" } ] } @@ -1037,8 +1011,8 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -1046,11 +1020,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + } + ] } ] } @@ -1060,8 +1041,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -1069,11 +1050,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + } + ] } ] } @@ -1083,8 +1071,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -1092,11 +1080,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] } ] } @@ -1106,20 +1101,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + } + ] } ] } @@ -1129,8 +1131,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1146,8 +1148,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1159,8 +1161,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1176,8 +1178,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1189,8 +1191,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -1206,8 +1208,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1219,8 +1221,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does entity configuration AA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -1236,8 +1238,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -1249,8 +1251,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" @@ -1261,12 +1263,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$..metadata.openid_provider.op_policy_uri", "is present": "true" } ] @@ -1279,8 +1281,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the AA's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1296,7 +1298,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.trust_marks", "is present": "true" } ] @@ -1309,8 +1311,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1326,7 +1328,7 @@ "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.exp", "is present": "true" } ] @@ -1339,8 +1341,8 @@ }, { "test": { - "name": "Does the AA metadata contain op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1351,12 +1353,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata.openid_provider.op_policy_uri", + "check": "$.iat", "is present": "true" } ] @@ -1369,8 +1371,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1383,7 +1385,13 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_AA" + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -1393,8 +1401,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1405,16 +1413,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -1426,8 +1431,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1438,15 +1443,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata", + "is present": "true" } ] } @@ -1458,8 +1461,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1470,16 +1473,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -1491,8 +1491,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -1500,12 +1500,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_AA" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json index 5f61c7f..ca939e7 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -16,23 +16,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -42,8 +30,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -51,23 +39,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -77,8 +53,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -89,13 +65,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -107,8 +86,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -119,13 +98,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -137,8 +118,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -149,13 +130,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -167,8 +151,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -176,18 +160,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -197,8 +175,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -209,13 +187,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "is present": "true" } ] } @@ -227,8 +205,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -239,13 +217,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -257,8 +235,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -269,13 +247,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "is present": "true" } ] } @@ -287,8 +265,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -299,13 +277,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -317,8 +295,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -329,13 +307,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -347,8 +325,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -359,13 +337,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "is present": "true" } ] } @@ -377,8 +355,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -389,13 +367,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -407,8 +385,8 @@ }, { "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -424,7 +402,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "check": "$.metadata.oauth_authorization_server.issuer", "is present": "true" } ] @@ -437,8 +415,8 @@ }, { "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -454,7 +432,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.oauth_authorization_server.jwks", "is present": "true" } ] @@ -467,8 +445,8 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -484,7 +462,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -497,8 +475,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -514,7 +492,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.oauth_authorization_server.op_policy_uri", "is present": "true" } ] @@ -527,8 +505,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -544,7 +522,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.metadata.oauth_authorization_server.op_tos_uri", "is present": "true" } ] @@ -557,8 +535,8 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -574,7 +552,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -587,8 +565,8 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -604,7 +582,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -617,8 +595,8 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -634,7 +612,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", + "check": "$.metadata.oauth_resource.resource", "is present": "true" } ] @@ -647,8 +625,8 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -664,7 +642,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", + "check": "$.metadata.oauth_authorization_server.response_types_supported", "is present": "true" } ] @@ -677,8 +655,8 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -694,7 +672,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.oauth_authorization_server.scopes_supported", "is present": "true" } ] @@ -707,8 +685,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -724,7 +702,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "check": "$.metadata.oauth_authorization_server.token_endpoint", "is present": "true" } ] @@ -737,8 +715,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -754,7 +732,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -767,8 +745,8 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -784,7 +762,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -797,8 +775,8 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -806,18 +784,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -827,27 +798,20 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_resource.resource", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -857,8 +821,8 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -869,13 +833,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -887,8 +856,8 @@ }, { "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -899,13 +868,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -917,8 +891,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -929,13 +903,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" } ] } @@ -947,8 +921,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -959,13 +933,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -977,8 +951,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -989,13 +963,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -1007,8 +981,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -1019,13 +993,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" } ] } @@ -1037,8 +1011,8 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -1046,11 +1020,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + } + ] } ] } @@ -1060,8 +1041,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -1069,11 +1050,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + } + ] } ] } @@ -1083,8 +1071,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -1092,11 +1080,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] } ] } @@ -1106,20 +1101,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + } + ] } ] } @@ -1129,8 +1131,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1146,8 +1148,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1159,8 +1161,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1176,8 +1178,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1189,8 +1191,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -1206,8 +1208,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1219,8 +1221,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does entity configuration AA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -1236,8 +1238,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -1249,8 +1251,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" @@ -1261,12 +1263,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$..metadata.openid_provider.op_policy_uri", "is present": "true" } ] @@ -1279,8 +1281,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the AA's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1296,7 +1298,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.trust_marks", "is present": "true" } ] @@ -1309,8 +1311,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1326,7 +1328,7 @@ "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.exp", "is present": "true" } ] @@ -1339,8 +1341,8 @@ }, { "test": { - "name": "Does the AA metadata contain op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1351,12 +1353,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata.openid_provider.op_policy_uri", + "check": "$.iat", "is present": "true" } ] @@ -1369,8 +1371,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1383,7 +1385,13 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_AA" + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -1393,8 +1401,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1405,16 +1413,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -1426,8 +1431,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1438,15 +1443,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata", + "is present": "true" } ] } @@ -1458,8 +1461,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1470,16 +1473,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -1491,8 +1491,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -1500,12 +1500,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_AA" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json index 024ba49..23e5760 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json @@ -7,27 +7,20 @@ "tests": [ { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -37,27 +30,20 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -67,25 +53,40 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", - "type": "passive", + "name": "Does the JWT payload contain a correct sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ], "checks": [ { + "use variable": "true", "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.sub", + "contains": "saved_iss" } ] } @@ -97,25 +98,27 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] } ] } @@ -127,25 +130,28 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -157,25 +163,28 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -187,25 +196,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -217,25 +229,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -247,25 +262,27 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] } ] } @@ -277,25 +294,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -307,25 +327,28 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -337,15 +360,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -354,8 +377,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -367,15 +393,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -384,8 +410,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] } ] } @@ -397,27 +425,21 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -427,25 +449,53 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.client_id", + "as": "client_id" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "contains": "client_id" } ] } @@ -457,25 +507,53 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "contains": "iss" } ] } @@ -487,25 +565,53 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.redirect_uri", + "as": "redirect_uris" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata.openid_relying_party.redirect_uris", + "contains": "redirect_uris" } ] } @@ -517,25 +623,53 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.response_type", + "as": "response_types_supported" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata.openid_relying_party.response_types[0]", + "contains": "response_types_supported" } ] } @@ -547,25 +681,53 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", - "type": "passive", + "name": "Does the JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.metadata.openid_relying_party.client_id", + "as": "client_id" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.iss", + "contains": "client_id" } ] } @@ -577,25 +739,53 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", - "type": "passive", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.aud[0]", + "contains": "saved_iss" } ] } @@ -607,25 +797,25 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" } ] } @@ -637,20 +827,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_registration_types", + "is present": "true" + } + ] } ] } @@ -660,20 +857,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" + } + ] } ] } @@ -683,20 +887,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" + } + ] } ] } @@ -706,20 +917,27 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" + } + ] } ] } @@ -729,20 +947,27 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" + } + ] } ] } @@ -752,20 +977,27 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" + } + ] } ] } @@ -775,20 +1007,27 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is present": "true" + } + ] } ] } @@ -798,20 +1037,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is present": "true" + } + ] } ] } @@ -821,26 +1067,25 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is present": "true" } ] } @@ -852,26 +1097,25 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } @@ -883,53 +1127,55 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -941,53 +1187,25 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -999,24 +1217,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -1029,24 +1247,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.openid_relying_party.redirect_uris", "is present": "true" } ] @@ -1059,24 +1277,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", "is present": "true" } ] @@ -1089,24 +1307,24 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", "is present": "true" } ] @@ -1119,24 +1337,24 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", "is present": "true" } ] @@ -1149,24 +1367,24 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", "is present": "true" } ] @@ -1179,24 +1397,24 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", "is present": "true" } ] @@ -1209,24 +1427,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata.openid_relying_party.response_types", "is present": "true" } ] @@ -1239,27 +1457,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1269,27 +1480,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1299,27 +1503,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1329,27 +1526,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" - } - ] + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -1359,27 +1549,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1389,27 +1572,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1419,27 +1595,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -1449,27 +1618,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "head", + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1479,15 +1641,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -1496,8 +1658,10 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1509,15 +1673,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -1526,8 +1690,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1539,15 +1703,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -1556,8 +1720,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1569,15 +1733,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -1586,8 +1750,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1599,25 +1763,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" } ] } @@ -1629,25 +1793,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" } ] } @@ -1659,25 +1823,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -1689,32 +1853,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" } ] } @@ -1726,32 +1883,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" } ] } @@ -1763,32 +1913,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1800,32 +1943,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" } ] } @@ -1837,32 +1973,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1874,32 +2003,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" } ] } @@ -1911,32 +2033,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" } ] } @@ -1948,32 +2063,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" } ] } @@ -1985,32 +2093,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -2022,32 +2123,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -2059,32 +2153,71 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the Revocation Request contain correct client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ + { + "from": "body", + "value": "https://example.com", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" + } + ] + } + ], + "result": "assert_only" + } + }, + { + "test": { + "name": "Does entity configuration RP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_RP" } ] } @@ -2096,32 +2229,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" } ] } @@ -2133,33 +2259,22 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] - } + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" ] } ] @@ -2170,32 +2285,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -2207,32 +2315,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -2244,32 +2345,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -2281,32 +2375,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -2318,32 +2405,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -2355,32 +2435,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -2392,32 +2465,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.acr_values", + "is present": "true" } ] } @@ -2429,32 +2495,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.aud", + "is present": "true" } ] } @@ -2466,32 +2525,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -2503,32 +2555,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.client_id", + "is present": "true" } ] } @@ -2540,32 +2585,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -2577,32 +2615,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -2614,32 +2645,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -2651,32 +2675,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.nonce", + "is present": "true" } ] } @@ -2688,32 +2705,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.prompt", + "is present": "true" } ] } @@ -2725,32 +2735,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.redirect_uri", + "is present": "true" } ] } @@ -2762,32 +2765,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.response_type", + "is present": "true" } ] } @@ -2799,32 +2795,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.scope", + "is present": "true" } ] } @@ -2836,32 +2825,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.state", + "is present": "true" } ] } @@ -2873,21 +2855,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.ui_locales", + "is present": "true" + } + ] } ] } @@ -2897,21 +2885,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } @@ -2921,21 +2915,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -2945,105 +2945,87 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -3053,32 +3035,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] + "in": "payload", + "check": "$.jti", + "is present": "true" } ] } @@ -3090,32 +3065,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -3127,34 +3095,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -3164,34 +3118,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } @@ -3201,34 +3141,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] - } - ] + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -3238,34 +3164,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -3275,34 +3187,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -3312,34 +3210,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -3349,34 +3233,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -3386,34 +3256,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -3423,34 +3279,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -3460,34 +3302,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -3497,34 +3325,20 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -3534,34 +3348,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -3571,34 +3371,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -3608,34 +3394,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -3645,34 +3417,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -3682,34 +3440,20 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -3719,34 +3463,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -3756,34 +3486,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "code" } ] } @@ -3793,34 +3509,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -3830,34 +3532,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -3867,34 +3555,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -3904,34 +3578,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] - } - ] + "in": "head", + "is present": true, + "check param": "Authorization" } ] } @@ -3941,34 +3601,21 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -3978,34 +3625,21 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "jwt check sig": "X_key_core_RP" } ] } @@ -4015,34 +3649,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -4052,34 +3672,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -4089,34 +3695,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -4126,34 +3718,66 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "check": "client_id", + "is": "X_url_RP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -4163,34 +3787,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -4200,34 +3810,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] - } - ] + "in": "body", + "check": "client_id", + "is": "X_https_RP" } ] } @@ -4237,31 +3833,29 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -4274,31 +3868,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" ] } ] @@ -4311,1464 +3900,1039 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", - "type": "active", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the client_id parameter", - "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", "decode operations": [ { "from": "url", "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", "decode operations": [ { "from": "url", "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", - "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", "decode operations": [ { "from": "url", "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.prompt", + "is in": [ + "consent", + "consent login" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the nonce parameter", - "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", "decode operations": [ { "from": "url", "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Entity Configuration response OP", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter", - "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Entity Configuration response OP", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the state parameter", - "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", - "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", - "type": "active", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "example" - }, - { - "jwt sign": "X_key_RP" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", - "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", - "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", - "type": "active", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", - "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681723540" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", - "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681723540" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "19az" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", - "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", - "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", - "type": "active", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "unsupported_response_type" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", - "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", - "type": "active", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_scope" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "19az" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the acr_values parameter", - "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the aud parameter", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the claims parameter", - "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the exp parameter", - "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iat parameter", - "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iss parameter", - "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the prompt parameter", - "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", - "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "" - }, + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode regex": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "UserInfo response", + "checks": [ { "in": "head", - "check": "invalid_request" + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the response_type parameter", - "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", + "name": "Does the OP refuse wrongly signed Authentication Requests", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", "type": "active", "sessions": [ "s1" @@ -5790,12 +4954,7 @@ "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "" - }, - { - "jwt sign": "X_key_RP" + "jwt sign": "X_wrong_key" } ] } @@ -5813,21 +4972,21 @@ }, { "in": "head", - "check": "invalid_request" + "check": "unauthorized_client" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse an RP without trusted Trust Marks", - "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", + "name": "Does the OP verify the signature of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -5838,20 +4997,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.trust_marks", - "value": "" - }, - { - "jwt sign": "X_key_RP" + "jwt sign": "X_wrong_key" } ] } @@ -5861,26 +5015,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", - "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", + "name": "Does the OP verify the signature of the client assertion in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", "type": "active", "sessions": [ "s1" @@ -5894,20 +5048,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_RP" + "jwt sign": "X_wrong_key" } ] } @@ -5917,26 +5066,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly validate the trust chain of an RP authentication request", - "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", + "name": "Does the token response to a token request made with a wrong signature return a Token Error response", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -5950,20 +5099,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.authority_hints", - "value": "https://www.wrongsite.com/" - }, - { - "jwt sign": "X_key_RP" + "jwt sign": "X_wrong_key" } ] } @@ -5973,26 +5117,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", - "check": "invalid_client" + "in": "body", + "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", - "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", + "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -6006,20 +5150,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_RP" + "jwt sign": "X_wrong_key" } ] } @@ -6029,26 +5168,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Request with a wrong redirect URI", - "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", "type": "active", "sessions": [ "s1" @@ -6062,20 +5201,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_RP" + "jwt save": "$.iss", + "as": "saved_iss" } ] } @@ -6085,1538 +5221,841 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "saved_iss" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", - "type": "active", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.jwks", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", - "type": "active", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud[0]", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", - "type": "active", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.authorization_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", - "type": "active", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", - "type": "active", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", - "type": "active", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.claims_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", - "type": "active", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", - "type": "active", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", - "type": "active", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.introspection_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", - "type": "active", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", - "type": "active", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "https://www.example.com" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", - "type": "active", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681716340" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", - "type": "active", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681716340" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", - "type": "active", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "https://www.example.com" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", - "type": "active", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", - "type": "active", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -7627,15 +6066,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -7647,8 +6084,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -7659,18 +6096,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.scopes_supported", + "is present": "true" } ] } @@ -7682,8 +6114,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -7694,18 +6126,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.subject_types_supported", + "is present": "true" } ] } @@ -7717,8 +6144,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -7729,18 +6156,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.token_endpoint", + "is present": "true" } ] } @@ -7752,8 +6174,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -7764,18 +6186,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -7787,8 +6204,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -7799,15 +6216,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } @@ -7819,8 +6234,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -7831,18 +6246,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "is present": "true" } ] } @@ -7854,32 +6264,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" - ] + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", + "is present": "true" } ] } @@ -7891,29 +6294,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_endpoint", + "is present": "true" } ] } @@ -7925,28 +6324,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RS256", - "RS512" - ] + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "is present": "true" } ] } @@ -7958,8 +6354,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" @@ -7970,13 +6366,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" } ] } @@ -7988,8 +6384,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -7997,18 +6393,11 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -8018,27 +6407,20 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -8048,27 +6430,20 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" - } - ] + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] } @@ -8078,27 +6453,20 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" - } - ] + "in": "body", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -8108,27 +6476,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" - } - ] + "in": "body", + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -8138,27 +6499,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" - } - ] + "in": "body", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } @@ -8168,25 +6522,32 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] } ] } @@ -8198,25 +6559,29 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -8228,25 +6593,26 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -8258,25 +6624,26 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + "in": "header", + "check": "$.cty", + "is present": "true" } ] } @@ -8288,25 +6655,26 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "in": "header", + "check": "$.enc", + "is present": "true" } ] } @@ -8318,25 +6686,26 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -8348,25 +6717,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -8378,25 +6749,30 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -8408,25 +6784,30 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -8438,25 +6819,30 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -8468,25 +6854,30 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -8498,25 +6889,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -8528,8 +6921,8 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -8540,13 +6933,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -8558,38 +6956,61 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.jwks", - "is present": "true" + "jwt from": "header", + "jwt edit": "alg", + "value": "none" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -8600,13 +7021,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -8618,8 +7039,8 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -8630,13 +7051,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -8648,8 +7069,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -8660,13 +7081,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -8678,8 +7099,8 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" @@ -8690,13 +7111,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" } ] } @@ -8708,8 +7129,8 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" @@ -8720,13 +7141,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" } ] } @@ -8738,8 +7159,8 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -8750,13 +7171,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -8768,8 +7189,8 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -8780,13 +7201,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } @@ -8798,8 +7219,8 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -8810,13 +7231,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -8828,8 +7249,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -8840,13 +7261,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -8858,25 +7279,25 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -8888,25 +7309,25 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -8918,25 +7339,25 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -8948,25 +7369,25 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -8978,25 +7399,25 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -9008,25 +7429,25 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -9038,25 +7459,25 @@ }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -9068,25 +7489,25 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -9098,25 +7519,25 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } @@ -9128,25 +7549,25 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } @@ -9158,25 +7579,46 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "message operations": [ + { + "from": "url", + "save": "client_id", + "as": "auth_client_id" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_supported", - "is present": "true" + "check": "client_id", + "is": "auth_client_id", + "use variable": "true" } ] } @@ -9188,25 +7630,46 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "message operations": [ + { + "from": "url", + "save": "scope", + "as": "auth_scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported", - "is present": "true" + "check": "scope", + "is": "auth_scope", + "use variable": "true" } ] } @@ -9218,624 +7681,836 @@ }, { "test": { - "name": "Does the OP metadata contain the request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT", + "description": "The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported", - "is present": "true" - } - ] + "from": "url", + "value": "openid", + "edit": "scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the request parameter", + "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" - } - ] + "from": "url", + "value": "", + "edit": "request" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the scope parameter in the URL", + "description": "An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request)", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported", - "is present": "true" - } - ] + "from": "url", + "value": "", + "edit": "scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with the request parameter that is not a JWT", + "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "is present": "true" - } - ] + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ + { + "from": "url", + "value": "example", + "edit": "request" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP accept introspection requests without the client assertion", + "description": "A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP accept introspection requests without the client assertion type", + "description": "An introspection request without the client_assertion_type parameter is sent and the response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", - "type": "passive", + "name": "Does the OP accept introspection requests without the client id", + "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "How does the OP behave when receiving an introspection request without the token", + "description": "An introspection request without a token is sent and the introspection response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=token=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP accept introspection requests with a wrong client assertion type", + "description": "An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", - "is present": "true" - } - ] + "value": "X_wrong_value", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", - "is present": "true" - } - ] + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", - "type": "passive", + "name": "Does the OP verify the client id of the Introspection Request", + "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", - "is present": "true" - } - ] + "value": "https://www.example.com/", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP verify the parameters of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "is present": "true" - } - ] + "value": "X_wrong_value", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "How does the OP behave when receiving an introspection request with a wrong token", + "description": "An introspection request with a token not valid is sent and the introspection response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", - "is present": "true" - } - ] + "value": "X_not_valid_tkn", + "edit regex": "(?<=token=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", - "type": "passive", + "name": "Does the OP verify the presence of token in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=token=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP accept revocation request without the client assertion", + "description": "In order to verify if the OP checks the presence of the client_assertion parameter in a revocation request, such a request is sent without the client_assertion and the OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported.value", - "is": "true" - } - ] + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP accept Revocation Requests without the client assertion type", + "description": "To test if an OP verifies the presence of the client assertion type in the Revocation request, a request withiout client assertion type is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported.value", - "is": "true" - } - ] + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP accept Revocation Requests without the client id", + "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", - "is": "true" - } - ] + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", - "type": "passive", + "name": "Does the OP verify the client assertion type of the Revocation Request", + "description": "To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is": "X_url_OP" - } - ] + "value": "urn-ietf", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ { "in": "head", - "check": "Content-Type", - "is": "application/json" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", - "type": "passive", + "name": "Does the OP verify the client id of the Revocation Request", + "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ + { + "from": "body", + "value": "https://www.example.com/", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "check": "token_type", - "is": "Bearer" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the request parameter", - "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed", + "name": "Does the token response to a token request made without the client_assertion parameter return a Token Error response", + "description": "This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -9849,12 +8524,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "edit operations": [ { - "from": "url", + "from": "body", "value": "", - "edit": "request" + "edit regex": "(?<=client_assertion=)([^&]+)" } ] }, @@ -9862,15 +8537,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_client" } ] } @@ -9880,8 +8555,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter in the URL", - "description": "An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request)", + "name": "Does the token response to a token request made without the client_assertion_type parameter return a Token Error response", + "description": "This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -9895,12 +8570,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "edit operations": [ { - "from": "url", + "from": "body", "value": "", - "edit": "scope" + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] }, @@ -9908,14 +8583,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -9926,8 +8601,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with the request parameter that is not a JWT", - "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed", + "name": "Does the OP require the client_id in the token request", + "description": "This test consists in sending a token request without the client_id parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -9941,12 +8616,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "edit operations": [ { - "from": "url", - "value": "example", - "edit": "request" + "from": "body", + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" } ] }, @@ -9954,15 +8629,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, - { - "in": "head", - "check": "invalid_request" + { + "in": "body", + "check": "invalid_client" } ] } @@ -9972,8 +8647,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT", - "description": "The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged", + "name": "Does the token response to a token request made without the code parameter return a Token Error response", + "description": "This test consists in sending a token request without the code parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -9987,12 +8662,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "edit operations": [ { - "from": "url", - "value": "openid", - "edit": "scope" + "from": "body", + "value": "", + "edit regex": "(?<=code=)([^&]+)" } ] }, @@ -10000,15 +8675,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_grant" } ] } @@ -10018,11 +8693,11 @@ }, { "test": { - "name": "Does the OP accept introspection requests without the client assertion", - "description": "A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed", + "name": "Does the token response to a token request made without the code_verifier parameter return a Token Error response", + "description": "This test consists in sending a token request without the code_verifier parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -10033,12 +8708,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" + "edit regex": "(?<=code_verifier=)([^&]+)" } ] }, @@ -10046,15 +8721,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_grant" } ] } @@ -10064,11 +8739,11 @@ }, { "test": { - "name": "Does the OP accept introspection requests without the client assertion type", - "description": "An introspection request without the client_assertion_type parameter is sent and the response analyzed", + "name": "Does the token response to a token request made without the grant_type parameter return a Token Error response", + "description": "This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -10079,12 +8754,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "edit regex": "(?<=grant_type=)([^&]+)" } ] }, @@ -10092,7 +8767,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", @@ -10110,11 +8785,11 @@ }, { "test": { - "name": "Does the OP accept introspection requests without the client id", - "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.", + "name": "Does the OP check the client_id in the request", + "description": "In this test the client_id parameter in the URL of the token request is removed and the response analyzed", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -10125,7 +8800,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", @@ -10138,15 +8813,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } @@ -10156,11 +8831,11 @@ }, { "test": { - "name": "How does the OP behave when receiving an introspection request without the token", - "description": "An introspection request without a token is sent and the introspection response analyzed", + "name": "Does the token response to a token request made with an incorrect client_assertion_type parameter return a Token Error response", + "description": "This test consists in sending a token request with a wrong client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -10171,12 +8846,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=token=)([^&]+)" + "value": "urn-aert", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] }, @@ -10184,7 +8859,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", @@ -10202,11 +8877,11 @@ }, { "test": { - "name": "Does the OP accept introspection requests with a wrong client assertion type", - "description": "An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed", + "name": "Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response", + "description": "This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -10217,12 +8892,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", - "value": "X_wrong_value", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "value": "X_wrong_code", + "edit regex": "(?<=code=)([^&]+)" } ] }, @@ -10230,7 +8905,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", @@ -10238,7 +8913,7 @@ }, { "in": "body", - "check": "invalid_request" + "check": "invalid_grant" } ] } @@ -10248,11 +8923,11 @@ }, { "test": { - "name": "Does the OP verify the client id of the Introspection Request", - "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", + "name": "Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response", + "description": "This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -10263,12 +8938,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", - "value": "https://www.example.com/", - "edit regex": "(?<=client_id=)([^&]+)" + "value": "X_wrong_code", + "edit regex": "(?<=code_verifier=)([^&]+)" } ] }, @@ -10276,15 +8951,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } @@ -10294,11 +8969,11 @@ }, { "test": { - "name": "Does the OP verify the parameters of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.", + "name": "Does the OP checks that the token request contains the grant_type parameter set correctly", + "description": "In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -10309,12 +8984,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", - "value": "X_wrong_value", - "edit regex": "(?<=client_assertion=)([^&]+)" + "value": "example", + "edit regex": "(?<=grant_type=)([^&]+)" } ] }, @@ -10322,7 +8997,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", @@ -10330,7 +9005,7 @@ }, { "in": "body", - "check": "invalid_request" + "check": "unsupported_grant_type" } ] } @@ -10340,11 +9015,11 @@ }, { "test": { - "name": "How does the OP behave when receiving an introspection request with a wrong token", - "description": "An introspection request with a token not valid is sent and the introspection response analyzed", + "name": "How does the OP behave when the token in the userinfo request is missing", + "description": "A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -10355,12 +9030,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "UserInfo request", "edit operations": [ { - "from": "body", - "value": "X_not_valid_tkn", - "edit regex": "(?<=token=)([^&]+)" + "from": "head", + "value": "", + "edit": "Authorization" } ] }, @@ -10368,7 +9043,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "UserInfo response", "checks": [ { "in": "head", @@ -10381,853 +9056,747 @@ ] } ], - "result": "assert_only" + "result": "assert_only" + } + }, + { + "test": { + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is": "X_url_OP" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of token in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.", - "type": "active", + "name": "Does the OP issue refresh tokens even when it is not supposed to", + "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=token=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check": "refresh_token", + "is present": false } ] } ], - "result": "assert_only" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the OP accept revocation request without the client assertion", - "description": "In order to verify if the OP checks the presence of the client_assertion parameter in a revocation request, such a request is sent without the client_assertion and the OP's response is analyzed", - "type": "active", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept Revocation Requests without the client assertion type", - "description": "To test if an OP verifies the presence of the client assertion type in the Revocation request, a request withiout client assertion type is sent and the response is analyzed.", - "type": "active", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept Revocation Requests without the client id", - "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.", - "type": "active", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client assertion type of the Revocation Request", - "description": "To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.", - "type": "active", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "urn-ietf", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client id of the Revocation Request", - "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", - "type": "active", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "https://www.example.com/", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the client_assertion parameter return a Token Error response", - "description": "This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.authority_hints", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the client_assertion_type parameter return a Token Error response", - "description": "This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP require the client_id in the token request", - "description": "This test consists in sending a token request without the client_id parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_client" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the code parameter return a Token Error response", - "description": "This test consists in sending a token request without the code parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=code=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_grant" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the code_verifier parameter return a Token Error response", - "description": "This test consists in sending a token request without the code_verifier parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=code_verifier=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_grant" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.typ", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the grant_type parameter return a Token Error response", - "description": "This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=grant_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect client_assertion_type parameter return a Token Error response", - "description": "This test consists in sending a token request with a wrong client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "urn-aert", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.client_id", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response", - "description": "This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "X_wrong_code", - "edit regex": "(?<=code=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_grant" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response", - "description": "This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "X_wrong_code", - "edit regex": "(?<=code_verifier=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP checks that the token request contains the grant_type parameter set correctly", - "description": "In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Token response", + "decode operations": [ { "from": "body", - "value": "example", - "edit regex": "(?<=grant_type=)([^&]+)" + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check": "unsupported_grant_type" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP check the client_id in the request", - "description": "In this test the client_id parameter in the URL of the token request is removed and the response analyzed", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.scope", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "How does the OP behave when the token in the userinfo request is missing", - "description": "A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "UserInfo request", - "edit operations": [ - { - "from": "head", - "value": "", - "edit": "Authorization" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "UserInfo response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] } ] } @@ -11237,20 +9806,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -11260,20 +9836,27 @@ }, { "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.acr", + "is present": "true" + } + ] } ] } @@ -11283,8 +9866,8 @@ }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" @@ -11292,11 +9875,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.at_hash", + "is present": "true" + } + ] } ] } @@ -11306,8 +9896,8 @@ }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -11315,11 +9905,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -11329,20 +9926,27 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -11352,20 +9956,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -11374,21 +9985,28 @@ } }, { - "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "test": { + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -11398,8 +10016,8 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -11407,11 +10025,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } @@ -11421,8 +10046,8 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -11430,11 +10055,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.nonce", + "is present": "true" + } + ] } ] } @@ -11444,20 +10076,27 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -11674,55 +10313,21 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", - "type": "active", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "saved_iss" - } - ] + "jwt check sig": "X_key_OP" } ] } @@ -11732,8 +10337,8 @@ }, { "test": { - "name": "Does the OP issue refresh tokens even when it is not supposed to", - "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" @@ -11741,43 +10346,12 @@ "operations": [ { "message type": "Token response", - "checks": [ - { - "in": "body", - "check": "refresh_token", - "is present": false - } - ] - } - ], - "result": [ - "s1" - ] - } - }, - { - "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -11787,27 +10361,21 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -11817,25 +10385,31 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -11847,27 +10421,20 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "head", + "check": "Content-Type", + "is": "application/json" } ] } @@ -11877,27 +10444,20 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" - } - ] + "in": "body", + "check": "token_type", + "is": "Bearer" } ] } @@ -11907,25 +10467,26 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "in": "header", + "check": "$.cty", + "is": "JWT" } ] } @@ -11937,27 +10498,20 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ + { + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.authority_hints", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -11967,27 +10521,20 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -11997,27 +10544,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -12027,8 +10567,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does the token response have Cache-Control set to 'no-store'", + "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", "type": "passive", "sessions": [ "s1" @@ -12036,18 +10576,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.kid", - "is present": "true" - } - ] + "in": "head", + "check param": "Cache-Control", + "contains": "no-store" } ] } @@ -12057,27 +10590,40 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", - "type": "passive", + "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", + "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "message operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.typ", - "is present": "true" - } - ] + "edit": "(?<=token=)([^&]+)", + "in": "123.123.123" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -12087,8 +10633,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -12103,9 +10649,14 @@ "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.aud", - "is present": "true" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -12117,8 +10668,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -12129,13 +10680,18 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.client_id", - "is present": "true" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -12147,610 +10703,1072 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the client_id parameter", + "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", + "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.jti", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the nonce parameter", + "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.scope", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the scope parameter", + "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the state parameter", + "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.state", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", + "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "example" + }, { - "in": "header", - "check": "$.kid", - "is present": "true" + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", + "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.acr", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", + "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.at_hash", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.aud", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", + "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", + "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", + "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.jti", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", + "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.nonce", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "unsupported_response_type" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", + "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Authentication response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check param": "Location", - "contains": "code" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_scope" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "state" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.state", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Authentication response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check param": "Location", - "contains": "iss" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token response have Cache-Control set to 'no-store'", - "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the acr_values parameter", + "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check param": "Cache-Control", - "contains": "no-store" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", + "name": "Does the OP refuse Authentication Requests without the aud parameter", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", "type": "active", "sessions": [ "s1" @@ -12765,11 +11783,21 @@ "from session": "s1", "then": "forward", "message type": "Authentication request", - "message operations": [ + "decode operations": [ { "from": "url", - "save": "client_id", - "as": "auth_client_id" + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] }, @@ -12777,31 +11805,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", - "decode operations": [ + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "client_id", - "is": "auth_client_id", - "use variable": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", + "name": "Does the OP refuse Authentication Requests without the claims parameter", + "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", "type": "active", "sessions": [ "s1" @@ -12816,11 +11839,21 @@ "from session": "s1", "then": "forward", "message type": "Authentication request", - "message operations": [ + "decode operations": [ { "from": "url", - "save": "scope", - "as": "auth_scope" + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] }, @@ -12828,103 +11861,138 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", - "decode operations": [ + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "scope", - "is": "auth_scope", - "use variable": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the exp parameter", + "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "jwt check sig": "X_key_OP" + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token response", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "jwt check sig": "X_key_core_OP" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iat parameter", + "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", - "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", + "name": "Does the OP refuse Authentication Requests without the iss parameter", + "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", "type": "active", "sessions": [ "s1" @@ -12938,12 +12006,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", - "message operations": [ + "message type": "Authentication request", + "decode operations": [ { - "from": "body", - "edit": "(?<=token=)([^&]+)", - "in": "123.123.123" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] }, @@ -12951,828 +12029,1202 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the prompt parameter", + "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", + "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the response_type parameter", + "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", - "type": "passive", + "name": "Does the OP refuse an RP without trusted Trust Marks", + "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] + "jwt from": "payload", + "jwt edit": "$.trust_marks", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", - "type": "passive", + "name": "Does the OP correctly validate the trust chain of an RP authentication request", + "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.authority_hints", + "value": "https://www.wrongsite.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_client" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", + "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", - "is in": [ - "private_key_jwt" - ] + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", + "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", - "type": "passive", + "name": "Does the OP refuse Authentication Request with a wrong redirect URI", + "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported[0]", - "is in": [ - "automatic" - ] + "jwt from": "payload", + "jwt edit": "$.aud[0]", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", - "type": "passive", + "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", - "type": "passive", + "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", - "type": "passive", + "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", - "type": "passive", + "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", - "type": "passive", + "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", + "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", - "type": "passive", + "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", - "type": "passive", + "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ { "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ { "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.cty", - "is": "JWT" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", + "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -13786,17 +13238,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt from": "header", - "jwt edit": "alg", - "value": "none" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } @@ -13806,14 +13261,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -13824,8 +13279,8 @@ }, { "test": { - "name": "Does the OP refuse wrongly signed Authentication Requests", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", + "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -13839,15 +13294,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } @@ -13857,29 +13317,29 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", - "check": "unauthorized_client" + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", + "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -13890,7 +13350,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Revocation request", "decode operations": [ { "from": "body", @@ -13898,7 +13358,12 @@ "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } @@ -13908,7 +13373,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Revocation response", "checks": [ { "in": "head", @@ -13921,13 +13386,13 @@ ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", + "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -13949,7 +13414,12 @@ "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } @@ -13972,13 +13442,13 @@ ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token response to a token request made with a wrong signature return a Token Error response", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", + "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -13992,7 +13462,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Revocation request", "decode operations": [ { "from": "body", @@ -14000,7 +13470,12 @@ "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } @@ -14010,7 +13485,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Revocation response", "checks": [ { "in": "head", @@ -14023,13 +13498,13 @@ ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", + "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -14043,7 +13518,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Revocation request", "decode operations": [ { "from": "body", @@ -14051,7 +13526,12 @@ "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } @@ -14061,7 +13541,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Revocation response", "checks": [ { "in": "head", @@ -14074,493 +13554,481 @@ ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ - { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + "session": "s1", + "action": "start" + }, { - "message type": "UserInfo response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.cty", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "UserInfo response", - "decode operations": [ - { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "abc" + }, { - "in": "header", - "check": "$.enc", - "is present": "true" + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "UserInfo response", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.kid", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token response", - "decode operations": [ + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + "session": "s1", + "action": "start" + }, { - "message type": "Entity Configuration response RP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ + }, { - "message type": "Introspection request", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token request", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.acr_values", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" - ] + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.prompt", - "is in": [ - "consent", - "consent login" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.scope", - "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "in": "header", + "check": "$.alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -14572,27 +14040,20 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -14602,27 +14063,20 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -14632,25 +14086,29 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", + "is subset of": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -14662,25 +14120,27 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is subset of": [ + "S256" + ] } ] } @@ -14692,25 +14152,28 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", + "is subset of": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -14722,15 +14185,15 @@ }, { "test": { - "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -14739,8 +14202,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -14752,15 +14218,15 @@ }, { "test": { - "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", - "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -14769,8 +14235,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -14782,25 +14251,28 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -14812,25 +14284,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" + ] } ] } @@ -14841,16 +14316,16 @@ } }, { - "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "test": { + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -14859,8 +14334,10 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" + ] } ] } @@ -14872,25 +14349,27 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -14902,25 +14381,30 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -14932,25 +14416,27 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" + ] } ] } @@ -14962,25 +14448,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is present": "true" + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -14992,25 +14480,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -15022,25 +14513,28 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -15052,25 +14546,28 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -15082,25 +14579,28 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -15112,25 +14612,27 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -15142,25 +14644,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -15172,25 +14677,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -15202,25 +14710,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -15232,25 +14742,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'grant_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" + ] } ] } @@ -15262,25 +14774,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -15292,25 +14806,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.signed_jwks_uri", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -15322,25 +14838,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -15352,25 +14871,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -15382,25 +14903,28 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -15412,25 +14936,27 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -15442,25 +14968,28 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" + ] } ] } @@ -15472,25 +15001,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -15502,25 +15034,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -15532,25 +15067,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -15562,25 +15100,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -15592,25 +15132,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -15622,25 +15164,28 @@ }, { "test": { - "name": "Does the RP metadata contain correct value of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is": "x_https_RP" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -15652,15 +15197,15 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -15669,8 +15214,11 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_RP" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -15682,20 +15230,30 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -15705,20 +15263,21 @@ }, { "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Entity Configuration response TA", "checks": [ { - "in": "body", - "check": "client_id", - "is": "X_url_RP" + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -15728,66 +15287,118 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] + } + ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] + } + ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_https_RP" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -15797,66 +15408,71 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", - "type": "active", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { "from": "body", - "value": "https://example.com", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -15866,20 +15482,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -15889,20 +15519,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -15912,20 +15556,34 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -15935,20 +15593,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] + } + ] } ] } @@ -15958,20 +15630,34 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] } ] } @@ -15981,20 +15667,34 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -16004,20 +15704,34 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -16027,20 +15741,34 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] } ] } @@ -16050,20 +15778,34 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -16073,20 +15815,34 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] } ] } @@ -16096,20 +15852,34 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] } ] } @@ -16119,20 +15889,34 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] } ] } @@ -16142,20 +15926,34 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -16165,20 +15963,34 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -16188,20 +16000,34 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -16211,20 +16037,34 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -16234,20 +16074,34 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -16257,20 +16111,34 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -16280,20 +16148,34 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -16303,20 +16185,34 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] + } + ] } ] } @@ -16326,20 +16222,34 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] } ] } @@ -16349,20 +16259,34 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -16372,20 +16296,34 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -16395,20 +16333,34 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] } ] } @@ -16418,20 +16370,34 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -16441,20 +16407,34 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] } ] } @@ -16464,20 +16444,34 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] } ] } @@ -16487,20 +16481,34 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] } ] } @@ -16510,20 +16518,34 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "grant_type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -16533,20 +16555,34 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] + } + ] } ] } @@ -16556,20 +16592,27 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.constraints.max_path_length", + "is present": "true" + } + ] } ] } @@ -16579,53 +16622,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", - "type": "active", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ - { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.client_id", - "as": "client_id" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + { + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "client_id" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -16637,53 +16652,55 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", - "type": "active", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response TA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.redirect_uri", - "as": "redirect_uris" + "in": "payload", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "contains": "redirect_uris" + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -16695,53 +16712,55 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", - "type": "active", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response TA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.response_type", - "as": "response_types_supported" + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "contains": "response_types_supported" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -16753,53 +16772,55 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", - "type": "active", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response TA", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "iss" + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "iss" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -16811,53 +16832,55 @@ }, { "test": { - "name": "Does the JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", - "type": "active", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.metadata.openid_relying_party.client_id", - "as": "client_id" + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "client_id" + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -16869,53 +16892,55 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.aud[0]", - "contains": "saved_iss" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "is present": "true" } ] } @@ -16927,24 +16952,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", "is present": "true" } ] @@ -16957,24 +16982,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", "is present": "true" } ] @@ -16987,24 +17012,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", "is present": "true" } ] @@ -17017,24 +17042,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", "is present": "true" } ] @@ -17047,24 +17072,24 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", "is present": "true" } ] @@ -17077,24 +17102,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.jwks", "is present": "true" } ] @@ -17107,24 +17132,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", "is present": "true" } ] @@ -17137,24 +17162,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", "is present": "true" } ] @@ -17167,24 +17192,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.redirect_uri", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -17197,24 +17222,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.response_type", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", "is present": "true" } ] @@ -17227,24 +17252,24 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", "is present": "true" } ] @@ -17257,24 +17282,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.state", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -17287,24 +17312,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.ui_locales", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", "is present": "true" } ] @@ -17317,24 +17342,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -17347,24 +17372,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", "is present": "true" } ] @@ -17377,24 +17402,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -17407,24 +17432,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -17437,24 +17462,24 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -17467,24 +17492,24 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -17497,24 +17522,24 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -17527,24 +17552,24 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -17557,24 +17582,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -17587,24 +17612,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -17617,24 +17642,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", "is present": "true" } ] @@ -17647,24 +17672,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -17677,24 +17702,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -17707,24 +17732,24 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -17737,22 +17762,26 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" + } ] } ] @@ -17763,15 +17792,15 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -17780,13 +17809,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is present": "true" } ] } @@ -17798,15 +17822,15 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -17815,10 +17839,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -17830,15 +17852,15 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -17847,13 +17869,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -17865,21 +17882,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_RP" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -17889,21 +17912,20 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "jwt check sig": "X_key_core_RP" + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -17913,29 +17935,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -17945,30 +17958,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -17978,30 +17981,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Statement response TA OP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -18011,30 +18004,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -18043,31 +18026,21 @@ } }, { - "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "test": { + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -18077,29 +18050,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -18109,30 +18073,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Public Keys History response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -18142,27 +18096,26 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -18175,27 +18128,29 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -18208,26 +18163,29 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -18240,64 +18198,27 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the JWT payload contain a correct sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", - "type": "active", - "sessions": [ - "s1" - ], - "operations": [ - { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ], "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.sub", - "contains": "saved_iss" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -18309,25 +18230,25 @@ }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ "none", "HS256", "HS384", @@ -18344,8 +18265,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -18361,11 +18282,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -18378,15 +18300,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -18395,9 +18317,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -18410,15 +18332,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -18427,10 +18349,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -18443,15 +18367,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -18460,10 +18384,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -18476,15 +18399,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -18492,11 +18415,13 @@ "type": "jwt", "checks": [ { - "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -18509,15 +18434,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -18526,10 +18451,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -18542,15 +18466,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -18559,10 +18483,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -18575,15 +18501,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -18592,9 +18518,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -18607,15 +18533,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -18624,9 +18550,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -18639,15 +18568,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -18656,13 +18585,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -18674,15 +18598,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -18691,10 +18615,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -18706,15 +18628,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -18723,10 +18645,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -18738,15 +18658,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -18755,11 +18675,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -18771,28 +18688,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -18804,28 +18718,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -18837,15 +18748,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -18854,11 +18765,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -18870,15 +18778,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -18887,10 +18795,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" } ] } @@ -18902,15 +18808,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -18919,11 +18825,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" - ] + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -18935,15 +18838,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -18952,10 +18855,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -18967,15 +18868,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -18984,11 +18885,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } @@ -19000,15 +18898,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19017,10 +18915,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19032,15 +18928,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19049,10 +18945,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" - ] + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19064,15 +18958,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19081,10 +18975,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19096,15 +18988,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19113,11 +19005,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19129,15 +19018,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19146,10 +19035,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -19161,15 +19048,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19178,11 +19065,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19194,15 +19078,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19211,10 +19095,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19226,15 +19108,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19243,10 +19125,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -19258,15 +19138,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19275,11 +19155,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" - ] + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -19291,15 +19168,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19308,11 +19185,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19324,15 +19198,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19341,11 +19215,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19357,15 +19228,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19374,11 +19245,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19390,15 +19258,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19407,10 +19275,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19422,15 +19288,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19439,11 +19305,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19455,15 +19318,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19472,11 +19335,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19488,15 +19348,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -19505,11 +19365,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -19521,15 +19378,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -19538,10 +19395,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } @@ -19553,8 +19408,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -19567,16 +19422,12 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -19588,30 +19439,26 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -19623,15 +19470,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does entity configuration TA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -19640,10 +19487,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.sub", + "is": "X_url_TA" } ] } @@ -19655,29 +19500,59 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", - "type": "passive", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "iss", + "contains": "valid_iss" + } ] } ] @@ -19690,61 +19565,59 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", - "type": "passive", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "iss", + "contains": "valid_iss" + } ] } ] @@ -19757,15 +19630,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -19774,13 +19647,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -19792,15 +19660,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -19809,10 +19677,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -19824,15 +19690,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -19841,13 +19707,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -19859,15 +19720,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -19876,10 +19737,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -19891,15 +19750,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -19908,13 +19767,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata", + "is present": "true" } ] } @@ -19926,15 +19780,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -19943,10 +19797,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -19958,15 +19810,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -19975,13 +19827,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.constraints", + "is present": "true" } ] } @@ -19993,15 +19840,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -20010,11 +19857,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -20026,15 +19870,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -20043,11 +19887,8 @@ "checks": [ { "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$.trust_mark_issuers", + "is present": "true" } ] } @@ -20059,15 +19900,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -20076,8 +19917,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.constraints", + "is present": "true" } ] } @@ -20089,15 +19930,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -20106,8 +19947,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -20119,15 +19960,15 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -20136,8 +19977,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -20149,25 +19990,25 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -20179,25 +20020,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.jwks", + "is present": "true" } ] } @@ -20209,15 +20050,15 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -20226,8 +20067,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -20239,15 +20080,15 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -20256,8 +20097,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -20269,8 +20110,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -20286,8 +20127,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "check": "$.trust_marks", + "is present": "true" } ] } @@ -20299,15 +20140,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -20316,8 +20157,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.constraints", + "is present": "true" } ] } @@ -20329,15 +20170,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -20346,8 +20187,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -20359,15 +20200,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -20376,8 +20217,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -20389,15 +20230,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -20406,8 +20247,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -20419,15 +20260,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -20436,8 +20277,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -20449,15 +20290,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -20466,8 +20307,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -20479,15 +20320,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -20496,8 +20337,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -20509,15 +20350,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -20526,8 +20367,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -20539,15 +20380,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -20556,8 +20397,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.trust_marks", + "is present": "true" } ] } @@ -20569,27 +20410,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -20599,8 +20434,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" @@ -20613,13 +20448,7 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -20629,27 +20458,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -20659,8 +20482,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" @@ -20671,13 +20494,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -20689,8 +20519,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" @@ -20701,13 +20531,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -20719,8 +20556,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -20731,13 +20568,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } + ] } ] } @@ -20749,8 +20593,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -20761,13 +20605,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -20779,8 +20630,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -20791,13 +20642,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -20809,8 +20667,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -20821,13 +20679,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -20839,25 +20704,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -20869,25 +20741,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -20899,25 +20778,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -20929,25 +20815,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -20959,25 +20852,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -20989,25 +20889,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -21019,25 +20926,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -21049,25 +20963,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -21079,25 +21000,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -21109,25 +21037,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -21138,26 +21073,33 @@ } }, { - "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "test": { + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -21169,25 +21111,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] } ] } @@ -21199,25 +21148,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -21229,25 +21185,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -21259,25 +21222,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -21289,25 +21259,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -21319,25 +21296,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -21349,25 +21333,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -21379,25 +21370,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -21409,25 +21407,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -21439,25 +21444,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -21469,25 +21481,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -21499,25 +21518,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -21529,25 +21555,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -21559,8 +21592,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" @@ -21571,13 +21604,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is present": "true" + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -21589,25 +21625,28 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -21619,27 +21658,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -21649,27 +21681,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -21679,27 +21704,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -21709,85 +21728,116 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -21799,25 +21849,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -21829,25 +21886,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -21859,25 +21923,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -21889,25 +21960,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -21919,25 +21997,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -21949,25 +22034,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -21979,25 +22071,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -22009,25 +22108,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -22039,25 +22145,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -22069,25 +22182,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -22099,25 +22219,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -22129,25 +22256,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -22159,25 +22293,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -22189,25 +22330,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -22219,25 +22367,32 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -22249,20 +22404,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -22272,20 +22441,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -22295,20 +22478,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -22318,20 +22515,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -22341,20 +22552,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -22364,20 +22589,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -22387,20 +22626,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] } ] } @@ -22410,20 +22663,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -22433,20 +22700,34 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -22456,20 +22737,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] } ] } @@ -22479,26 +22774,32 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -22510,26 +22811,32 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -22541,25 +22848,32 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -22571,25 +22885,32 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -22601,25 +22922,32 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -22631,25 +22959,32 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -22661,15 +22996,42 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -22677,9 +23039,10 @@ "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -22691,45 +23054,42 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA RP", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "client_assertion", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response TA", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -22737,9 +23097,10 @@ "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -22751,24 +23112,24 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -22781,24 +23142,24 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -22811,24 +23172,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -22841,24 +23202,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -22871,24 +23232,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -22901,24 +23262,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -22931,24 +23292,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -22961,24 +23322,24 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -22991,24 +23352,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -23021,27 +23382,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -23051,27 +23405,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -23081,27 +23428,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -23111,27 +23451,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -23141,27 +23474,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -23171,27 +23497,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -23201,15 +23520,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -23218,8 +23537,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -23231,15 +23550,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -23248,8 +23567,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -23261,15 +23580,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -23278,8 +23597,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -23291,25 +23610,25 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -23321,32 +23640,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -23358,32 +23670,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -23395,32 +23700,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -23432,32 +23730,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -23469,32 +23760,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -23506,32 +23790,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -23543,32 +23820,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -23580,32 +23850,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -23617,32 +23881,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_SA" } ] } @@ -23654,32 +23912,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does entity configuration SA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_SA" } ] } @@ -23691,32 +23942,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -23728,32 +23972,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -23765,32 +24002,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -23802,32 +24032,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -23839,32 +24062,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -23876,32 +24092,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -23913,32 +24122,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -23950,32 +24152,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -23987,32 +24182,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -24024,32 +24212,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -24061,32 +24242,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -24098,32 +24272,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -24135,32 +24302,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -24172,32 +24332,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -24209,32 +24362,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -24246,32 +24392,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -24283,32 +24422,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -24320,32 +24452,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -24357,32 +24482,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -24394,32 +24512,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -24431,32 +24542,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -24468,32 +24572,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -24505,32 +24602,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -24550,13 +24640,13 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "jwt check sig": "X_key_SA" } ] } @@ -24566,21 +24656,21 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "jwt check sig": "X_key_SA" } ] } @@ -24590,21 +24680,21 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "jwt check sig": "X_key_SA" } ] } @@ -24614,15 +24704,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -24636,11 +24726,8 @@ "checks": [ { "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -24649,22 +24736,20 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -24674,15 +24759,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -24691,89 +24773,35 @@ ] } ], - "result": [ - "s1" - ] - } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response TA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { - "use variable": "true", "in": "payload", - "check": "iss", - "contains": "valid_iss" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -24787,47 +24815,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", @@ -24835,10 +24836,9 @@ "decode param": "$.trust_marks[0].trust_mark", "checks": [ { - "use variable": "true", "in": "payload", - "check": "iss", - "contains": "valid_iss" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -24852,15 +24852,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -24870,12 +24870,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -24889,15 +24889,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -24912,7 +24912,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -24926,15 +24926,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -24949,7 +24949,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -24963,15 +24963,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -24986,7 +24986,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -25000,15 +25000,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -25023,7 +25023,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -25037,15 +25037,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -25060,7 +25060,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -25074,15 +25074,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -25092,12 +25092,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -25111,15 +25111,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -25134,7 +25134,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -25148,15 +25148,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -25166,12 +25166,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -25185,15 +25185,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -25208,7 +25208,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -25222,15 +25222,15 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -25245,7 +25245,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -25259,15 +25259,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -25282,7 +25282,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -25296,15 +25296,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -25319,7 +25319,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -25333,15 +25333,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25356,7 +25356,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -25370,15 +25370,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25388,12 +25388,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -25407,15 +25407,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25425,12 +25425,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -25445,14 +25445,14 @@ { "test": { "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25481,15 +25481,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25499,12 +25499,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -25518,15 +25518,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25541,7 +25541,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -25555,15 +25555,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25578,7 +25578,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -25592,15 +25592,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25615,7 +25615,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -25629,15 +25629,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25652,7 +25652,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -25666,15 +25666,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25689,7 +25689,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -25711,7 +25711,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25721,7 +25721,7 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", @@ -25741,14 +25741,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25763,7 +25763,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -25785,7 +25785,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25795,7 +25795,7 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", @@ -25814,15 +25814,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25837,7 +25837,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -25851,15 +25851,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25874,7 +25874,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -25888,15 +25888,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25911,7 +25911,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -25925,15 +25925,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -25948,7 +25948,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -25962,8 +25962,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -25971,23 +25971,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -25997,8 +25985,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -26006,23 +25994,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -26032,8 +26008,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -26044,13 +26020,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -26062,8 +26041,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -26074,13 +26053,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -26092,8 +26073,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -26104,13 +26085,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -26122,8 +26106,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -26131,18 +26115,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -26152,8 +26130,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26164,13 +26142,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "is present": "true" } ] } @@ -26182,8 +26160,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26194,13 +26172,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -26212,8 +26190,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26224,13 +26202,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "is present": "true" } ] } @@ -26242,8 +26220,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26254,13 +26232,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -26272,8 +26250,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26284,13 +26262,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -26302,8 +26280,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26314,13 +26292,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "is present": "true" } ] } @@ -26332,8 +26310,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26344,13 +26322,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -26362,8 +26340,8 @@ }, { "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26379,7 +26357,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "check": "$.metadata.oauth_authorization_server.issuer", "is present": "true" } ] @@ -26392,8 +26370,8 @@ }, { "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26409,7 +26387,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.oauth_authorization_server.jwks", "is present": "true" } ] @@ -26422,8 +26400,8 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26439,7 +26417,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -26452,8 +26430,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26469,7 +26447,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.oauth_authorization_server.op_policy_uri", "is present": "true" } ] @@ -26482,8 +26460,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26499,7 +26477,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.metadata.oauth_authorization_server.op_tos_uri", "is present": "true" } ] @@ -26512,8 +26490,8 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26529,7 +26507,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -26542,8 +26520,8 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26559,7 +26537,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -26572,8 +26550,8 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26589,7 +26567,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", + "check": "$.metadata.oauth_resource.resource", "is present": "true" } ] @@ -26602,8 +26580,8 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26619,7 +26597,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", + "check": "$.metadata.oauth_authorization_server.response_types_supported", "is present": "true" } ] @@ -26632,8 +26610,8 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26649,7 +26627,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.oauth_authorization_server.scopes_supported", "is present": "true" } ] @@ -26662,8 +26640,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26679,7 +26657,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "check": "$.metadata.oauth_authorization_server.token_endpoint", "is present": "true" } ] @@ -26692,8 +26670,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26709,7 +26687,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -26722,8 +26700,8 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26739,7 +26717,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -26752,8 +26730,8 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -26761,18 +26739,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -26782,27 +26753,20 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_resource.resource", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -26812,8 +26776,8 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -26824,13 +26788,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -26841,9 +26810,9 @@ } }, { - "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "test": { + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -26854,13 +26823,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -26872,8 +26846,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -26884,13 +26858,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" } ] } @@ -26902,8 +26876,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -26914,13 +26888,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -26932,8 +26906,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -26944,13 +26918,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -26962,8 +26936,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -26974,13 +26948,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" } ] } @@ -26992,8 +26966,8 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -27001,11 +26975,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + } + ] } ] } @@ -27015,8 +26996,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -27024,11 +27005,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + } + ] } ] } @@ -27038,8 +27026,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -27047,11 +27035,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] } ] } @@ -27061,20 +27056,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + } + ] } ] } @@ -27084,8 +27086,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27101,8 +27103,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -27114,8 +27116,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27131,8 +27133,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -27144,8 +27146,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -27161,8 +27163,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -27174,8 +27176,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does entity configuration AA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -27191,8 +27193,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -27204,8 +27206,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" @@ -27216,12 +27218,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$..metadata.openid_provider.op_policy_uri", "is present": "true" } ] @@ -27234,8 +27236,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the AA's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -27251,7 +27253,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.trust_marks", "is present": "true" } ] @@ -27264,8 +27266,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27281,7 +27283,7 @@ "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.exp", "is present": "true" } ] @@ -27294,8 +27296,8 @@ }, { "test": { - "name": "Does the AA metadata contain op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27306,12 +27308,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata.openid_provider.op_policy_uri", + "check": "$.iat", "is present": "true" } ] @@ -27324,8 +27326,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27338,7 +27340,13 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_AA" + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -27348,8 +27356,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27360,16 +27368,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -27381,8 +27386,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27393,15 +27398,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata", + "is present": "true" } ] } @@ -27413,8 +27416,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -27425,16 +27428,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -27446,8 +27446,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -27455,12 +27455,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_AA" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json index a7900ac..f86062c 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json @@ -7,1296 +7,861 @@ "tests": [ { "test": { - "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", - "type": "active", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Entity Configuration response OP", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the client_id parameter", - "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Entity Configuration response OP", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", - "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", - "type": "active", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the nonce parameter", - "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "" - }, - { - "jwt sign": "X_key_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter", - "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "" - }, - { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the state parameter", - "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", - "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", - "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", - "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "example" - }, - { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", - "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681723540" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", - "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681723540" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "19az" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", - "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", - "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", - "type": "active", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "example" - }, - { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "unsupported_response_type" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", - "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", - "type": "active", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_scope" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "19az" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the acr_values parameter", - "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the aud parameter", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the claims parameter", - "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the exp parameter", - "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iat parameter", - "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode regex": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", + "message type": "Entity Configuration response OP", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "UserInfo response", + "checks": [ { "in": "head", - "check": "invalid_request" + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iss parameter", - "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", + "name": "Does the OP refuse wrongly signed Authentication Requests", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", "type": "active", "sessions": [ "s1" @@ -1318,12 +883,7 @@ "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, - { - "jwt sign": "X_key_RP" + "jwt sign": "X_wrong_key" } ] } @@ -1341,21 +901,21 @@ }, { "in": "head", - "check": "invalid_request" + "check": "unauthorized_client" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the prompt parameter", - "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", + "name": "Does the OP verify the signature of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -1366,20 +926,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Introspection request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "" - }, - { - "jwt sign": "X_key_RP" + "jwt sign": "X_wrong_key" } ] } @@ -1389,26 +944,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Introspection response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", - "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", + "name": "Does the OP verify the signature of the client assertion in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", "type": "active", "sessions": [ "s1" @@ -1422,20 +977,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "" - }, - { - "jwt sign": "X_key_RP" + "jwt sign": "X_wrong_key" } ] } @@ -1445,26 +995,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the response_type parameter", - "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", + "name": "Does the token response to a token request made with a wrong signature return a Token Error response", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -1478,20 +1028,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "" - }, - { - "jwt sign": "X_key_RP" + "jwt sign": "X_wrong_key" } ] } @@ -1501,26 +1046,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse an RP without trusted Trust Marks", - "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", + "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -1534,20 +1079,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.trust_marks", - "value": "" - }, - { - "jwt sign": "X_key_RP" + "jwt sign": "X_wrong_key" } ] } @@ -1557,26 +1097,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", - "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", "type": "active", "sessions": [ "s1" @@ -1590,20 +1130,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_RP" + "jwt save": "$.iss", + "as": "saved_iss" } ] } @@ -1613,1706 +1150,931 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "saved_iss" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly validate the trust chain of an RP authentication request", - "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", - "type": "active", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.authority_hints", - "value": "https://www.wrongsite.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.jwks", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_client" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", - "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", - "type": "active", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Request with a wrong redirect URI", - "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", - "type": "active", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.authorization_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", - "type": "active", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", - "type": "active", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud[0]", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", - "type": "active", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.claims_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", - "type": "active", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", - "type": "active", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", - "type": "active", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", - "type": "active", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", - "type": "active", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", - "type": "active", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.introspection_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", - "type": "active", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", - "type": "active", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "https://www.example.com" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", - "type": "active", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681716340" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", - "type": "active", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681716340" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", - "type": "active", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "https://www.example.com" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", - "type": "active", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", - "type": "active", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.metadata.openid_provider.subject_types_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -3323,15 +2085,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.token_endpoint", + "is present": "true" } ] } @@ -3343,8 +2103,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3355,18 +2115,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -3378,8 +2133,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3390,18 +2145,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } @@ -3413,8 +2163,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3425,18 +2175,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "is present": "true" } ] } @@ -3448,8 +2193,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3460,18 +2205,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", + "is present": "true" } ] } @@ -3483,8 +2223,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -3495,15 +2235,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.userinfo_endpoint", + "is present": "true" } ] } @@ -3515,8 +2253,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3527,18 +2265,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "is present": "true" } ] } @@ -3550,32 +2283,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" - ] + "in": "payload", + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" } ] } @@ -3587,31 +2313,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -3621,30 +2336,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -3654,27 +2359,20 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] } @@ -3684,27 +2382,20 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "body", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -3714,27 +2405,20 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" - } - ] + "in": "body", + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -3744,27 +2428,20 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" - } - ] + "in": "body", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } @@ -3774,25 +2451,32 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] } ] } @@ -3804,25 +2488,29 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -3834,25 +2522,26 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -3864,25 +2553,26 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + "in": "header", + "check": "$.cty", + "is present": "true" } ] } @@ -3894,25 +2584,26 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "in": "header", + "check": "$.enc", + "is present": "true" } ] } @@ -3924,25 +2615,26 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -3954,25 +2646,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -3984,25 +2678,30 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4014,25 +2713,30 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4044,25 +2748,30 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4074,25 +2783,30 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4104,25 +2818,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -4134,25 +2850,30 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4164,55 +2885,78 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", - "type": "passive", + "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "jwt from": "header", + "jwt edit": "alg", + "value": "none" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -4224,8 +2968,8 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -4236,13 +2980,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -4254,8 +2998,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -4266,13 +3010,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -4284,8 +3028,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" @@ -4296,13 +3040,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" } ] } @@ -4314,8 +3058,8 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" @@ -4326,13 +3070,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" } ] } @@ -4344,8 +3088,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -4356,13 +3100,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -4374,8 +3118,8 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -4386,13 +3130,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } @@ -4404,8 +3148,8 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -4416,13 +3160,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -4434,8 +3178,8 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -4446,13 +3190,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -4464,25 +3208,25 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -4494,25 +3238,25 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -4524,25 +3268,25 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -4554,25 +3298,25 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -4584,25 +3328,25 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -4614,25 +3358,25 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -4644,25 +3388,25 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -4674,25 +3418,25 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -4704,25 +3448,25 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } @@ -4734,25 +3478,25 @@ }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } @@ -4764,25 +3508,46 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "message operations": [ + { + "from": "url", + "save": "client_id", + "as": "auth_client_id" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "client_id", + "is": "auth_client_id", + "use variable": "true" } ] } @@ -4794,55 +3559,46 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", - "type": "passive", + "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "message operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" - } - ] + "from": "url", + "save": "scope", + "as": "auth_scope" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", - "is present": "true" + "check": "scope", + "is": "auth_scope", + "use variable": "true" } ] } @@ -4854,684 +3610,698 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT", + "description": "The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.claims_supported", - "is present": "true" - } - ] + "from": "url", + "value": "openid", + "edit": "scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the request parameter", + "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported", - "is present": "true" - } - ] + "from": "url", + "value": "", + "edit": "request" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the scope parameter in the URL", + "description": "An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request)", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported", - "is present": "true" - } - ] + "from": "url", + "value": "", + "edit": "scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with the request parameter that is not a JWT", + "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" - } - ] + "from": "url", + "value": "example", + "edit": "request" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP accept introspection requests without the client assertion", + "description": "A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", - "is present": "true" - } - ] + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP accept introspection requests without the client assertion type", + "description": "An introspection request without the client_assertion_type parameter is sent and the response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + "session": "s1", + "action": "start" + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", - "is present": "true" - } - ] + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP accept introspection requests without the client id", + "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + "session": "s1", + "action": "start" + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "How does the OP behave when receiving an introspection request without the token", + "description": "An introspection request without a token is sent and the introspection response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", - "is present": "true" - } - ] + "value": "", + "edit regex": "(?<=token=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP accept introspection requests with a wrong client assertion type", + "description": "An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "is present": "true" - } - ] + "value": "X_wrong_value", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP verify the client id of the Introspection Request", + "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported.value", - "is": "true" - } - ] + "value": "https://www.example.com/", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP verify the parameters of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported.value", - "is": "true" - } - ] + "value": "X_wrong_value", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "How does the OP behave when receiving an introspection request with a wrong token", + "description": "An introspection request with a token not valid is sent and the introspection response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", - "is": "true" - } - ] + "value": "X_not_valid_tkn", + "edit regex": "(?<=token=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", - "type": "passive", + "name": "Does the OP verify the presence of token in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is": "X_url_OP" - } - ] + "value": "", + "edit regex": "(?<=token=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", - "type": "passive", + "name": "Does the OP accept revocation request without the client assertion", + "description": "In order to verify if the OP checks the presence of the client_assertion parameter in a revocation request, such a request is sent without the client_assertion and the OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ { "in": "head", - "check": "Content-Type", - "is": "application/json" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", - "type": "passive", + "name": "Does the OP accept Revocation Requests without the client assertion type", + "description": "To test if an OP verifies the presence of the client assertion type in the Revocation request, a request withiout client assertion type is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "check": "token_type", - "is": "Bearer" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the request parameter", - "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed", + "name": "Does the OP accept Revocation Requests without the client id", + "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.", "type": "active", "sessions": [ "s1" @@ -5545,12 +4315,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "edit operations": [ { - "from": "url", + "from": "body", "value": "", - "edit": "request" + "edit regex": "(?<=client_id=)([^&]+)" } ] }, @@ -5558,15 +4328,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_client" } ] } @@ -5576,8 +4346,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter in the URL", - "description": "An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request)", + "name": "Does the OP verify the client assertion type of the Revocation Request", + "description": "To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.", "type": "active", "sessions": [ "s1" @@ -5591,12 +4361,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "edit operations": [ { - "from": "url", - "value": "", - "edit": "scope" + "from": "body", + "value": "urn-ietf", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] }, @@ -5604,14 +4374,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -5622,8 +4392,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with the request parameter that is not a JWT", - "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed", + "name": "Does the OP verify the client id of the Revocation Request", + "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", "type": "active", "sessions": [ "s1" @@ -5637,12 +4407,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "edit operations": [ { - "from": "url", - "value": "example", - "edit": "request" + "from": "body", + "value": "https://www.example.com/", + "edit regex": "(?<=client_id=)([^&]+)" } ] }, @@ -5650,15 +4420,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_client" } ] } @@ -5668,8 +4438,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT", - "description": "The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged", + "name": "Does the token response to a token request made without the client_assertion parameter return a Token Error response", + "description": "This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -5683,12 +4453,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "edit operations": [ { - "from": "url", - "value": "openid", - "edit": "scope" + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" } ] }, @@ -5696,15 +4466,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { - "in": "head", - "check": "invalid_request" + "in": "body", + "check": "invalid_client" } ] } @@ -5714,11 +4484,11 @@ }, { "test": { - "name": "Does the OP accept introspection requests without the client assertion", - "description": "A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed", + "name": "Does the token response to a token request made without the client_assertion_type parameter return a Token Error response", + "description": "This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -5729,12 +4499,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] }, @@ -5742,15 +4512,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } @@ -5760,11 +4530,11 @@ }, { "test": { - "name": "Does the OP accept introspection requests without the client assertion type", - "description": "An introspection request without the client_assertion_type parameter is sent and the response analyzed", + "name": "Does the OP require the client_id in the token request", + "description": "This test consists in sending a token request without the client_id parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -5775,12 +4545,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "edit regex": "(?<=client_id=)([^&]+)" } ] }, @@ -5788,15 +4558,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" }, { "in": "body", - "check": "invalid_request" + "check": "invalid_client" } ] } @@ -5806,11 +4576,11 @@ }, { "test": { - "name": "Does the OP accept introspection requests without the client id", - "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.", + "name": "Does the token response to a token request made without the code parameter return a Token Error response", + "description": "This test consists in sending a token request without the code parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -5821,12 +4591,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", "value": "", - "edit regex": "(?<=client_id=)([^&]+)" + "edit regex": "(?<=code=)([^&]+)" } ] }, @@ -5834,15 +4604,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_grant" } ] } @@ -5852,11 +4622,11 @@ }, { "test": { - "name": "How does the OP behave when receiving an introspection request without the token", - "description": "An introspection request without a token is sent and the introspection response analyzed", + "name": "Does the token response to a token request made without the code_verifier parameter return a Token Error response", + "description": "This test consists in sending a token request without the code_verifier parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -5867,12 +4637,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", "value": "", - "edit regex": "(?<=token=)([^&]+)" + "edit regex": "(?<=code_verifier=)([^&]+)" } ] }, @@ -5880,7 +4650,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", @@ -5888,7 +4658,7 @@ }, { "in": "body", - "check": "invalid_request" + "check": "invalid_grant" } ] } @@ -5898,11 +4668,11 @@ }, { "test": { - "name": "Does the OP accept introspection requests with a wrong client assertion type", - "description": "An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed", + "name": "Does the token response to a token request made without the grant_type parameter return a Token Error response", + "description": "This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -5913,12 +4683,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", - "value": "X_wrong_value", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "value": "", + "edit regex": "(?<=grant_type=)([^&]+)" } ] }, @@ -5926,7 +4696,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", @@ -5944,11 +4714,11 @@ }, { "test": { - "name": "Does the OP verify the client id of the Introspection Request", - "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", + "name": "Does the OP check the client_id in the request", + "description": "In this test the client_id parameter in the URL of the token request is removed and the response analyzed", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -5959,11 +4729,11 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", - "value": "https://www.example.com/", + "value": "", "edit regex": "(?<=client_id=)([^&]+)" } ] @@ -5972,15 +4742,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } @@ -5990,11 +4760,11 @@ }, { "test": { - "name": "Does the OP verify the parameters of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.", + "name": "Does the token response to a token request made with an incorrect client_assertion_type parameter return a Token Error response", + "description": "This test consists in sending a token request with a wrong client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -6005,12 +4775,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", - "value": "X_wrong_value", - "edit regex": "(?<=client_assertion=)([^&]+)" + "value": "urn-aert", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] }, @@ -6018,7 +4788,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", @@ -6036,11 +4806,11 @@ }, { "test": { - "name": "How does the OP behave when receiving an introspection request with a wrong token", - "description": "An introspection request with a token not valid is sent and the introspection response analyzed", + "name": "Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response", + "description": "This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -6051,12 +4821,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "edit operations": [ { "from": "body", - "value": "X_not_valid_tkn", - "edit regex": "(?<=token=)([^&]+)" + "value": "X_wrong_code", + "edit regex": "(?<=code=)([^&]+)" } ] }, @@ -6064,7 +4834,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", @@ -6072,7 +4842,7 @@ }, { "in": "body", - "check": "invalid_request" + "check": "invalid_grant" } ] } @@ -6082,8 +4852,8 @@ }, { "test": { - "name": "Does the OP verify the presence of token in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.", + "name": "Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response", + "description": "This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.", "type": "active", "sessions": [ "s1" @@ -6097,12 +4867,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", + "message type": "Token request", "edit operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=token=)([^&]+)" + "value": "X_wrong_code", + "edit regex": "(?<=code_verifier=)([^&]+)" } ] }, @@ -6110,7 +4880,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ { "in": "head", @@ -6128,8 +4898,8 @@ }, { "test": { - "name": "Does the OP accept revocation request without the client assertion", - "description": "In order to verify if the OP checks the presence of the client_assertion parameter in a revocation request, such a request is sent without the client_assertion and the OP's response is analyzed", + "name": "Does the OP checks that the token request contains the grant_type parameter set correctly", + "description": "In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response", "type": "active", "sessions": [ "s1" @@ -6143,12 +4913,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", + "message type": "Token request", "edit operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" + "value": "example", + "edit regex": "(?<=grant_type=)([^&]+)" } ] }, @@ -6156,15 +4926,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "unsupported_grant_type" } ] } @@ -6174,8 +4944,8 @@ }, { "test": { - "name": "Does the OP accept Revocation Requests without the client assertion type", - "description": "To test if an OP verifies the presence of the client assertion type in the Revocation request, a request withiout client assertion type is sent and the response is analyzed.", + "name": "How does the OP behave when the token in the userinfo request is missing", + "description": "A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed", "type": "active", "sessions": [ "s1" @@ -6189,12 +4959,12 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", + "message type": "UserInfo request", "edit operations": [ { - "from": "body", + "from": "head", "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "edit": "Authorization" } ] }, @@ -6202,7 +4972,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "UserInfo response", "checks": [ { "in": "head", @@ -6220,710 +4990,742 @@ }, { "test": { - "name": "Does the OP accept Revocation Requests without the client id", - "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.", - "type": "active", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is": "X_url_OP" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" + } + ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP issue refresh tokens even when it is not supposed to", + "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "checks": [ { "in": "body", - "check": "invalid_client" + "check": "refresh_token", + "is present": false + } + ] + } + ], + "result": [ + "s1" + ] + } + }, + { + "test": { + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client assertion type of the Revocation Request", - "description": "To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.", - "type": "active", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "urn-ietf", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client id of the Revocation Request", - "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", - "type": "active", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "https://www.example.com/", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the client_assertion parameter return a Token Error response", - "description": "This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the client_assertion_type parameter return a Token Error response", - "description": "This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP require the client_id in the token request", - "description": "This test consists in sending a token request without the client_id parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.authority_hints", + "is present": "true" + } + ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "invalid_client" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the code parameter return a Token Error response", - "description": "This test consists in sending a token request without the code parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=code=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_grant" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the code_verifier parameter return a Token Error response", - "description": "This test consists in sending a token request without the code_verifier parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=code_verifier=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_grant" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the grant_type parameter return a Token Error response", - "description": "This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=grant_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.typ", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect client_assertion_type parameter return a Token Error response", - "description": "This test consists in sending a token request with a wrong client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Token response", + "decode operations": [ { "from": "body", - "value": "urn-aert", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.client_id", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response", - "description": "This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Token response", + "decode operations": [ { "from": "body", - "value": "X_wrong_code", - "edit regex": "(?<=code=)([^&]+)" + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_grant" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response", - "description": "This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "X_wrong_code", - "edit regex": "(?<=code_verifier=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP checks that the token request contains the grant_type parameter set correctly", - "description": "In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "example", - "edit regex": "(?<=grant_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "unsupported_grant_type" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP check the client_id in the request", - "description": "In this test the client_id parameter in the URL of the token request is removed and the response analyzed", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.scope", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "How does the OP behave when the token in the userinfo request is missing", - "description": "A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "UserInfo request", - "edit operations": [ - { - "from": "head", - "value": "", - "edit": "Authorization" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "UserInfo response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] } ] } @@ -6933,20 +5735,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -6956,20 +5765,27 @@ }, { "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ - { - "message type": "Revocation response", - "checks": [ + { + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.acr", + "is present": "true" + } + ] } ] } @@ -6979,8 +5795,8 @@ }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" @@ -6988,11 +5804,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.at_hash", + "is present": "true" + } + ] } ] } @@ -7002,8 +5825,8 @@ }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -7011,11 +5834,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -7025,20 +5855,27 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -7048,20 +5885,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -7071,20 +5915,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -7094,8 +5945,8 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -7103,11 +5954,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } @@ -7117,8 +5975,8 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -7126,11 +5984,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.nonce", + "is present": "true" + } + ] } ] } @@ -7140,20 +6005,27 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -7370,53 +6242,103 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", - "type": "active", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ] + "jwt check sig": "X_key_OP" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "jwt check sig": "X_key_core_OP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "jwt check sig": "X_key_core_OP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "saved_iss" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -7428,8 +6350,8 @@ }, { "test": { - "name": "Does the OP issue refresh tokens even when it is not supposed to", - "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", "type": "passive", "sessions": [ "s1" @@ -7439,41 +6361,32 @@ "message type": "Token response", "checks": [ { - "in": "body", - "check": "refresh_token", - "is present": false + "in": "head", + "check": "Content-Type", + "is": "application/json" } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check": "token_type", + "is": "Bearer" } ] } @@ -7483,25 +6396,26 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "in": "header", + "check": "$.cty", + "is": "JWT" } ] } @@ -7513,27 +6427,20 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -7543,27 +6450,20 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -7573,27 +6473,20 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -7603,27 +6496,20 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the token response have Cache-Control set to 'no-store'", + "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "head", + "check param": "Cache-Control", + "contains": "no-store" } ] } @@ -7633,27 +6519,40 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", - "type": "passive", + "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", + "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "message operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.authority_hints", - "is present": "true" - } - ] + "edit": "(?<=token=)([^&]+)", + "in": "123.123.123" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -7663,25 +6562,30 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -7693,8 +6597,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -7705,13 +6609,18 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "header", "check": "$.alg", - "is present": "true" + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -7723,730 +6632,1296 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the client_id parameter", + "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.typ", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.aud", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", + "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.client_id", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the nonce parameter", + "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the scope parameter", + "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the state parameter", + "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.state", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", + "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.jti", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", + "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.scope", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", + "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", + "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", + "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.acr", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.at_hash", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", + "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.aud", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", + "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "unsupported_response_type" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", + "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_scope" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.state", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the acr_values parameter", + "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.jti", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the aud parameter", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.nonce", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the claims parameter", + "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Authentication response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check param": "Location", - "contains": "code" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the exp parameter", + "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check param": "Location", - "contains": "state" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iat parameter", + "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the token response have Cache-Control set to 'no-store'", - "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check param": "Cache-Control", - "contains": "no-store" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", + "name": "Does the OP refuse Authentication Requests without the iss parameter", + "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", "type": "active", "sessions": [ "s1" @@ -8461,11 +7936,21 @@ "from session": "s1", "then": "forward", "message type": "Authentication request", - "message operations": [ + "decode operations": [ { "from": "url", - "save": "client_id", - "as": "auth_client_id" + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] }, @@ -8473,31 +7958,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", - "decode operations": [ + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "client_id", - "is": "auth_client_id", - "use variable": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", + "name": "Does the OP refuse Authentication Requests without the prompt parameter", + "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", "type": "active", "sessions": [ "s1" @@ -8512,11 +7992,21 @@ "from session": "s1", "then": "forward", "message type": "Authentication request", - "message operations": [ + "decode operations": [ { "from": "url", - "save": "scope", - "as": "auth_scope" + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] }, @@ -8524,103 +8014,138 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", - "decode operations": [ + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "scope", - "is": "auth_scope", - "use variable": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", + "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "jwt check sig": "X_key_OP" + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the response_type parameter", + "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token response", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "jwt check sig": "X_key_core_OP" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", - "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", + "name": "Does the OP refuse an RP without trusted Trust Marks", + "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -8634,12 +8159,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", - "message operations": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { "from": "body", - "edit": "(?<=token=)([^&]+)", - "in": "123.123.123" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.trust_marks", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] }, @@ -8647,828 +8182,1314 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Authentication response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", - "type": "passive", + "name": "Does the OP correctly validate the trust chain of an RP authentication request", + "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "jwt from": "payload", + "jwt edit": "$.authority_hints", + "value": "https://www.wrongsite.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", - "type": "passive", + "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", + "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", + "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", - "type": "passive", + "name": "Does the OP refuse Authentication Request with a wrong redirect URI", + "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", - "type": "passive", + "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.aud[0]", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", - "type": "passive", + "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", - "type": "passive", + "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", - "is in": [ - "private_key_jwt" - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", - "type": "passive", + "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", - "type": "passive", + "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported[0]", - "is in": [ - "automatic" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", - "type": "passive", + "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", - "type": "passive", + "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", - "type": "passive", + "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", - "type": "passive", + "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", - "type": "passive", + "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ { "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ { "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", - "type": "passive", + "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.cty", - "is": "JWT" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", + "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", "type": "active", "sessions": [ "s1" @@ -9482,17 +9503,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt from": "header", - "jwt edit": "alg", - "value": "none" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } @@ -9502,14 +9526,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", + "in": "body", "check": "invalid_request" } ] @@ -9520,8 +9544,8 @@ }, { "test": { - "name": "Does the OP refuse wrongly signed Authentication Requests", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", + "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", "type": "active", "sessions": [ "s1" @@ -9535,15 +9559,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } @@ -9553,29 +9582,29 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { - "in": "head", - "check": "unauthorized_client" + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", + "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -9586,7 +9615,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Token request", "decode operations": [ { "from": "body", @@ -9594,7 +9623,12 @@ "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } @@ -9604,7 +9638,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Token response", "checks": [ { "in": "head", @@ -9617,13 +9651,13 @@ ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", "type": "active", "sessions": [ "s1" @@ -9637,7 +9671,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", + "message type": "Token request", "decode operations": [ { "from": "body", @@ -9645,7 +9679,12 @@ "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" } ] } @@ -9655,7 +9694,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ { "in": "head", @@ -9668,13 +9707,13 @@ ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token response to a token request made with a wrong signature return a Token Error response", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", "type": "active", "sessions": [ "s1" @@ -9696,7 +9735,12 @@ "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" } ] } @@ -9719,13 +9763,13 @@ ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", "type": "active", "sessions": [ "s1" @@ -9747,7 +9791,12 @@ "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" } ] } @@ -9770,172 +9819,125 @@ ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ - { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + "session": "s1", + "action": "start" + }, { - "message type": "UserInfo response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.cty", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "UserInfo response", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.enc", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -9946,17 +9948,15 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "header", "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "is in": [ + "RS256", + "RS512" ] } ] diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json index b007c90..5a6daa4 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -16,20 +16,11 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -39,8 +30,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -48,23 +39,11 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -74,32 +53,20 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -109,32 +76,20 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -144,32 +99,20 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -179,8 +122,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", "type": "passive", "sessions": [ "s1" @@ -191,14 +134,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" ] } ] @@ -211,8 +156,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -223,17 +168,14 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" ] } ] @@ -246,31 +188,26 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" + "S256" ] } ] @@ -283,28 +220,27 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported[0]", "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "refresh_token", + "authorization_code" ] } ] @@ -317,27 +253,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", "is in": [ - "RS256", - "RS512" + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -350,8 +286,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -362,13 +298,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -380,8 +319,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -392,13 +331,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -410,8 +352,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" @@ -422,13 +364,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } @@ -440,8 +384,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -452,13 +396,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -470,8 +417,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -482,13 +429,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -500,8 +450,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" @@ -512,13 +462,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" + ] } ] } @@ -530,8 +483,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" @@ -542,13 +495,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" + ] } ] } @@ -560,8 +515,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" @@ -572,13 +527,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" + ] } ] } @@ -590,8 +547,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" @@ -602,13 +559,18 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -620,25 +582,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" + ] } ] } @@ -650,25 +614,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] } ] } @@ -680,25 +646,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -710,25 +679,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -740,25 +712,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -770,25 +745,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -800,8 +778,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ "s1" @@ -812,13 +790,17 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -830,27 +812,21 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -860,27 +836,21 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } @@ -890,25 +860,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.jwks", + "is present": "true" } ] } @@ -920,8 +890,8 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -937,7 +907,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", + "check": "$.metadata.openid_provider.acr_values_supported", "is present": "true" } ] @@ -950,8 +920,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -967,7 +937,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.jwks", + "check": "$.metadata.openid_provider.authorization_endpoint", "is present": "true" } ] @@ -980,8 +950,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -997,7 +967,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", "is present": "true" } ] @@ -1010,8 +980,8 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1027,7 +997,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", + "check": "$.metadata.openid_provider.claims_parameter_supported", "is present": "true" } ] @@ -1040,8 +1010,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1057,7 +1027,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", + "check": "$.metadata.openid_provider.claims_supported", "is present": "true" } ] @@ -1070,8 +1040,38 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1340,8 +1340,8 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1357,7 +1357,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.openid_provider.issuer", "is present": "true" } ] @@ -1370,8 +1370,8 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1387,7 +1387,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -1400,8 +1400,8 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1417,7 +1417,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -1430,8 +1430,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1447,7 +1447,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -1460,8 +1460,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1477,7 +1477,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", "is present": "true" } ] @@ -1490,8 +1490,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1507,7 +1507,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", "is present": "true" } ] @@ -1520,8 +1520,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1537,7 +1537,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", "is present": "true" } ] @@ -1550,8 +1550,8 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1567,7 +1567,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_supported", + "check": "$.metadata.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -1580,8 +1580,8 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1597,7 +1597,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported", + "check": "$.metadata.openid_provider.response_modes_supported", "is present": "true" } ] @@ -1610,8 +1610,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1627,7 +1627,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported", + "check": "$.metadata.openid_provider.response_types_supported", "is present": "true" } ] @@ -1640,8 +1640,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -1657,7 +1657,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", + "check": "$.metadata.openid_provider.revocation_endpoint", "is present": "true" } ] @@ -1670,8 +1670,8 @@ }, { "test": { - "name": "Does the OP metadata contain the client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1687,7 +1687,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", "is present": "true" } ] @@ -1700,8 +1700,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1717,7 +1717,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "check": "$.metadata.openid_provider.scopes_supported", "is present": "true" } ] @@ -1730,8 +1730,8 @@ }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1747,7 +1747,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", + "check": "$.metadata.openid_provider.subject_types_supported", "is present": "true" } ] @@ -1760,8 +1760,8 @@ }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -1777,7 +1777,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", + "check": "$.metadata.openid_provider.token_endpoint", "is present": "true" } ] @@ -1790,8 +1790,8 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1807,7 +1807,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -1820,8 +1820,8 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1837,7 +1837,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -1850,8 +1850,8 @@ }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1867,7 +1867,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", "is present": "true" } ] @@ -1880,8 +1880,8 @@ }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1897,7 +1897,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", "is present": "true" } ] @@ -1910,8 +1910,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -1927,7 +1927,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", + "check": "$.metadata.openid_provider.userinfo_endpoint", "is present": "true" } ] @@ -1940,8 +1940,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -1957,7 +1957,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", "is present": "true" } ] @@ -1970,8 +1970,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" @@ -1987,7 +1987,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", + "check": "$.metadata.openid_provider.signed_jwks_uri", "is present": "true" } ] @@ -2000,8 +2000,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -2009,18 +2009,11 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -2030,27 +2023,20 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -2060,27 +2046,20 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported.value", - "is": "true" - } - ] + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] } @@ -2090,27 +2069,20 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported.value", - "is": "true" - } - ] + "in": "body", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -2120,57 +2092,20 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", - "is": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is": "X_url_OP" - } - ] + "in": "body", + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -2180,20 +2115,20 @@ }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "UserInfo response", "checks": [ { - "in": "head", - "check": "Content-Type", - "is": "application/json" + "in": "body", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } @@ -2203,20 +2138,34 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "body", - "check": "token_type", - "is": "Bearer" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] + } + ] } ] } @@ -2226,20 +2175,31 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -2249,20 +2209,28 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] } ] } @@ -2272,20 +2240,28 @@ }, { "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.cty", + "is present": "true" + } + ] } ] } @@ -2295,20 +2271,28 @@ }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.enc", + "is present": "true" + } + ] } ] } @@ -2318,20 +2302,28 @@ }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -2341,20 +2333,29 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -2364,8 +2365,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -2373,11 +2374,23 @@ "operations": [ { "message type": "Entity Configuration response OP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -2387,20 +2400,32 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -2410,20 +2435,32 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -2433,20 +2470,32 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -2456,20 +2505,29 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -2479,20 +2537,32 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -2502,20 +2572,27 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -2525,20 +2602,27 @@ }, { "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -2548,20 +2632,27 @@ }, { "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "expires_in" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] } ] } @@ -2571,20 +2662,27 @@ }, { "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "id_token" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + } + ] } ] } @@ -2594,20 +2692,27 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + } + ] } ] } @@ -2617,20 +2722,27 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] } ] } @@ -2640,8 +2752,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2657,8 +2769,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } @@ -2670,8 +2782,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -2682,13 +2794,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -2700,8 +2812,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -2717,8 +2829,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -2730,25 +2842,25 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -2760,25 +2872,25 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -2790,25 +2902,25 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -2820,25 +2932,25 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.authority_hints", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -2850,25 +2962,25 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -2880,8 +2992,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" @@ -2896,9 +3008,9 @@ "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -2910,8 +3022,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -2922,13 +3034,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -2940,8 +3052,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -2952,13 +3064,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.typ", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -2970,8 +3082,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" @@ -2982,13 +3094,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } @@ -3000,8 +3112,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", "type": "passive", "sessions": [ "s1" @@ -3012,13 +3124,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } @@ -3030,25 +3142,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.sub", + "is": "X_url_OP" } ] } @@ -3060,25 +3172,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" } ] } @@ -3090,25 +3202,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" } ] } @@ -3120,25 +3232,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } @@ -3150,24 +3262,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.exp", "is present": "true" } ] @@ -3180,24 +3292,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.iat", "is present": "true" } ] @@ -3210,24 +3322,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.iss", "is present": "true" } ] @@ -3240,24 +3352,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.jwks", "is present": "true" } ] @@ -3270,24 +3382,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", + "check": "$.metadata", "is present": "true" } ] @@ -3300,24 +3412,24 @@ }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.at_hash", + "check": "$.sub", "is present": "true" } ] @@ -3330,24 +3442,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.authority_hints", "is present": "true" } ] @@ -3360,24 +3472,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.trust_marks", "is present": "true" } ] @@ -3390,8 +3502,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" @@ -3402,12 +3514,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iat", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -3420,8 +3532,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -3432,12 +3544,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iss", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -3450,8 +3562,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", "type": "passive", "sessions": [ "s1" @@ -3462,12 +3574,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.jti", + "in": "header", + "check": "$.typ", "is present": "true" } ] @@ -3480,8 +3592,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -3492,12 +3604,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", + "check": "$.aud", "is present": "true" } ] @@ -3510,8 +3622,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -3522,12 +3634,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.client_id", "is present": "true" } ] @@ -3540,20 +3652,27 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "code" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -3563,20 +3682,27 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "state" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -3586,20 +3712,27 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -3609,21 +3742,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_OP" + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } @@ -3633,8 +3772,8 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" @@ -3647,7 +3786,13 @@ "from": "body", "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "payload", + "check": "$.scope", + "is present": "true" + } + ] } ] } @@ -3657,8 +3802,8 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -3669,9 +3814,15 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -3681,29 +3832,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -3715,27 +3862,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -3747,28 +3892,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] + "check": "$.acr", + "is present": "true" } ] } @@ -3780,28 +3922,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.at_hash", + "is present": "true" } ] } @@ -3813,28 +3952,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.aud", + "is present": "true" } ] } @@ -3846,28 +3982,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -3879,27 +4012,25 @@ }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -3911,28 +4042,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -3944,27 +4072,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", - "is in": [ - "private_key_jwt" - ] + "check": "$.jti", + "is present": "true" } ] } @@ -3976,28 +4102,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.nonce", + "is present": "true" } ] } @@ -4009,28 +4132,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -4042,29 +4162,20 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported[0]", - "is in": [ - "automatic" - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -4074,30 +4185,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -4107,29 +4208,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -4139,29 +4231,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -4171,32 +4254,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -4206,29 +4277,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] - } - ] + "operations": [ + { + "message type": "Token response", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -4238,30 +4300,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "head", + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -4271,8 +4323,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -4283,18 +4335,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "jwt check sig": "X_key_OP" } ] } @@ -4304,30 +4347,21 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -4337,8 +4371,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" @@ -4349,19 +4383,9 @@ "decode operations": [ { "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -4371,21 +4395,33 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -4395,21 +4431,20 @@ }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Token response", "checks": [ { "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "check": "Content-Type", + "is": "application/json" } ] } @@ -4419,33 +4454,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "check": "token_type", + "is": "Bearer" } ] } @@ -4486,28 +4508,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -4517,28 +4531,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.cty", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -4548,28 +4554,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.enc", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -4579,26 +4577,30 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Token response", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "header", - "check": "$.kid", - "is present": "true" + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4610,8 +4612,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -4622,7 +4624,7 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { @@ -4645,8 +4647,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -4657,17 +4659,15 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "header", "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "is in": [ + "RS256", + "RS512" ] } ] diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response OP-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response OP-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response OP-sub-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-sub-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response OP-sub-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-sub-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json index 4fd0251..483a3a4 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json @@ -7,27 +7,20 @@ "tests": [ { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -37,27 +30,20 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -67,25 +53,27 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] } ] } @@ -97,25 +85,28 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -127,25 +118,28 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -157,25 +151,28 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -187,25 +184,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -217,25 +217,27 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] } ] } @@ -247,25 +249,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -277,25 +282,28 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -307,25 +315,28 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -337,15 +348,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -354,8 +365,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] } ] } @@ -367,27 +380,21 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -397,15 +404,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -414,7 +421,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", + "check": "$.metadata.openid_relying_party.client_id", "is present": "true" } ] @@ -427,15 +434,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -444,7 +451,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.openid_relying_party.client_registration_types", "is present": "true" } ] @@ -457,15 +464,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -474,7 +481,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -487,15 +494,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -504,7 +511,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -517,15 +524,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -534,7 +541,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.openid_relying_party.grant_types", "is present": "true" } ] @@ -547,15 +554,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -564,7 +571,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata.openid_relying_party.grant_types", "is present": "true" } ] @@ -577,15 +584,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -594,7 +601,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -607,25 +614,25 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is present": "true" } ] } @@ -637,20 +644,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is present": "true" + } + ] } ] } @@ -660,20 +674,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is present": "true" + } + ] } ] } @@ -683,20 +704,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" + } + ] } ] } @@ -706,20 +734,27 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" + } + ] } ] } @@ -729,20 +764,27 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" + } + ] } ] } @@ -752,20 +794,27 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" + } + ] } ] } @@ -775,20 +824,27 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" + } + ] } ] } @@ -798,20 +854,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.redirect_uris", + "is present": "true" + } + ] } ] } @@ -821,26 +884,25 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "is present": "true" } ] } @@ -852,26 +914,25 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is present": "true" } ] } @@ -883,53 +944,25 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is present": "true" } ] } @@ -941,53 +974,25 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is present": "true" } ] } @@ -999,24 +1004,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", "is present": "true" } ] @@ -1029,24 +1034,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.openid_relying_party.response_types", "is present": "true" } ] @@ -1059,27 +1064,20 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1089,27 +1087,20 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1119,27 +1110,20 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1149,27 +1133,20 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -1179,27 +1156,20 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1209,27 +1179,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "body", + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1239,27 +1202,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -1269,27 +1225,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "head", + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1299,15 +1248,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -1316,9 +1265,11 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" - } + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] + } ] } ] @@ -1329,15 +1280,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -1346,8 +1297,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1359,15 +1310,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -1376,8 +1327,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1389,15 +1340,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -1406,8 +1357,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1419,25 +1370,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" } ] } @@ -1449,25 +1400,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" } ] } @@ -1479,25 +1430,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -1509,25 +1460,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" } ] } @@ -1539,15 +1490,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -1556,8 +1507,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" } ] } @@ -1569,25 +1520,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1599,15 +1550,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -1616,8 +1567,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" } ] } @@ -1629,25 +1580,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1659,25 +1610,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" } ] } @@ -1689,32 +1640,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" } ] } @@ -1726,32 +1670,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" } ] } @@ -1763,32 +1700,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1800,32 +1730,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1837,33 +1760,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does entity configuration RP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] - } + "in": "payload", + "check": "$.sub", + "is": "X_url_RP" + } ] } ] @@ -1874,32 +1790,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" } ] } @@ -1911,33 +1820,22 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] - } + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" ] } ] @@ -1948,32 +1846,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -1985,32 +1876,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -2022,32 +1906,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -2059,32 +1936,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -2096,32 +1966,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -2133,32 +1996,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -2170,32 +2026,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.acr_values", + "is present": "true" } ] } @@ -2207,32 +2056,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.aud", + "is present": "true" } ] } @@ -2244,32 +2086,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -2281,32 +2116,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.client_id", + "is present": "true" } ] } @@ -2318,32 +2146,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -2355,32 +2176,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -2392,32 +2206,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -2429,32 +2236,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.nonce", + "is present": "true" } ] } @@ -2466,32 +2266,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.prompt", + "is present": "true" } ] } @@ -2503,32 +2296,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.redirect_uri", + "is present": "true" } ] } @@ -2540,32 +2326,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.response_type", + "is present": "true" } ] } @@ -2577,32 +2356,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.scope", + "is present": "true" } ] } @@ -2614,32 +2386,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.state", + "is present": "true" } ] } @@ -2651,32 +2416,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.ui_locales", + "is present": "true" } ] } @@ -2688,32 +2446,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -2725,32 +2476,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.aud", + "is present": "true" } ] } @@ -2762,32 +2506,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -2799,32 +2536,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -2836,32 +2566,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -2873,21 +2596,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } @@ -2897,21 +2626,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -2921,21 +2656,20 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_SA" + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -2945,142 +2679,43 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] - } - ] + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] - } - ] - } - ] - } - ], - "result": [ - "s1" - ] - } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response SA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response SA OP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] - } - ] + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -3090,34 +2725,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -3127,34 +2748,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -3164,34 +2771,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -3201,34 +2794,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -3238,34 +2817,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -3275,34 +2840,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -3312,34 +2863,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -3349,34 +2886,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -3386,34 +2909,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -3423,34 +2932,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -3460,34 +2955,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -3497,34 +2978,20 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -3534,34 +3001,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -3571,34 +3024,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -3608,34 +3047,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "code" } ] } @@ -3645,34 +3070,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -3682,34 +3093,20 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -3719,34 +3116,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -3756,34 +3139,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "head", + "is present": true, + "check param": "Authorization" } ] } @@ -3793,34 +3162,21 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -3830,34 +3186,21 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Token request", "decode operations": [ { "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] - } - ] + "jwt check sig": "X_key_core_RP" } ] } @@ -3867,34 +3210,43 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Revocation request", + "checks": [ + { + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -3904,34 +3256,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -3941,34 +3279,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -3978,34 +3302,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "body", + "check": "client_id", + "is": "X_url_RP" } ] } @@ -4015,34 +3325,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -4052,34 +3348,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -4089,34 +3371,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] - } - ] + "in": "body", + "check": "client_id", + "is": "X_https_RP" } ] } @@ -4126,31 +3394,29 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -4163,31 +3429,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" ] } ] @@ -4200,31 +3461,29 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -4237,31 +3496,29 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -4274,31 +3531,32 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", + "from": "url", + "decode param": "request", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } + "in": "payload", + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" ] } ] @@ -4311,26 +3569,27 @@ }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" + "check": "$.prompt", + "is in": [ + "consent", + "consent login" ] } ] @@ -4343,29 +3602,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" ] } ] @@ -4378,8 +3639,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -4387,23 +3648,11 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -4413,8 +3662,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -4422,23 +3671,11 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -4448,32 +3685,20 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -4483,29 +3708,20 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -4515,32 +3731,20 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -4550,31 +3754,28 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported[0]", "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" ] } ] @@ -4587,28 +3788,26 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "automatic" ] } ] @@ -4621,27 +3820,26 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", "is in": [ - "RS256", - "RS512" + "S256" ] } ] @@ -4654,8 +3852,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", "type": "passive", "sessions": [ "s1" @@ -4666,13 +3864,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -4684,8 +3885,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -4696,13 +3897,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -4714,8 +3918,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -4726,13 +3930,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -4744,8 +3951,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -4756,13 +3963,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -4774,8 +3984,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" @@ -4786,13 +3996,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } @@ -4804,8 +4016,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -4816,13 +4028,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -4834,8 +4049,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -4846,13 +4061,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -4864,8 +4082,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" @@ -4876,13 +4094,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" + ] } ] } @@ -4894,8 +4115,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" @@ -4906,13 +4127,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" + ] } ] } @@ -4924,25 +4147,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" + ] } ] } @@ -4954,25 +4179,30 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -4984,25 +4214,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" + ] } ] } @@ -5014,25 +4246,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] } ] } @@ -5044,25 +4278,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -5074,25 +4311,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -5104,25 +4344,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -5134,25 +4377,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -5164,8 +4410,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ "s1" @@ -5176,13 +4422,17 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -5194,27 +4444,21 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -5224,27 +4468,21 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } @@ -5284,8 +4522,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -5301,7 +4539,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", + "check": "$.metadata.openid_provider.acr_values_supported", "is present": "true" } ] @@ -5314,8 +4552,8 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -5331,7 +4569,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", + "check": "$.metadata.openid_provider.authorization_endpoint", "is present": "true" } ] @@ -5344,8 +4582,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5361,7 +4599,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", "is present": "true" } ] @@ -5374,8 +4612,8 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5391,7 +4629,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "check": "$.metadata.openid_provider.claims_parameter_supported", "is present": "true" } ] @@ -5404,8 +4642,8 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5421,7 +4659,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.openid_provider.claims_supported", "is present": "true" } ] @@ -5434,8 +4672,8 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5451,7 +4689,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.openid_provider.client_registration_types_supported", "is present": "true" } ] @@ -5464,8 +4702,8 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5481,7 +4719,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", + "check": "$.metadata.openid_provider.code_challenge_methods_supported", "is present": "true" } ] @@ -5494,8 +4732,8 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5511,7 +4749,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -5524,8 +4762,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5541,7 +4779,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -5554,8 +4792,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5571,7 +4809,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "check": "$.metadata.openid_provider.grant_types_supported", "is present": "true" } ] @@ -5584,8 +4822,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5601,7 +4839,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -5614,8 +4852,8 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5631,7 +4869,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", "is present": "true" } ] @@ -5644,8 +4882,8 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5661,7 +4899,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", "is present": "true" } ] @@ -5674,8 +4912,8 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5691,7 +4929,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", "is present": "true" } ] @@ -5704,8 +4942,8 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -5721,7 +4959,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata.openid_provider.introspection_endpoint", "is present": "true" } ] @@ -5734,8 +4972,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5751,7 +4989,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "check": "$.metadata.openid_provider.issuer", "is present": "true" } ] @@ -5764,8 +5002,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5781,7 +5019,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -5794,8 +5032,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5811,7 +5049,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -5824,8 +5062,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5841,7 +5079,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -5854,8 +5092,8 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5871,7 +5109,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_supported", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", "is present": "true" } ] @@ -5884,8 +5122,8 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5901,7 +5139,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", "is present": "true" } ] @@ -5914,8 +5152,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5931,7 +5169,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", "is present": "true" } ] @@ -5944,8 +5182,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5961,7 +5199,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", + "check": "$.metadata.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -5974,8 +5212,8 @@ }, { "test": { - "name": "Does the OP metadata contain the client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5991,7 +5229,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported", + "check": "$.metadata.openid_provider.response_modes_supported", "is present": "true" } ] @@ -6004,8 +5242,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6021,7 +5259,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "check": "$.metadata.openid_provider.response_types_supported", "is present": "true" } ] @@ -6034,8 +5272,8 @@ }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -6051,7 +5289,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", + "check": "$.metadata.openid_provider.revocation_endpoint", "is present": "true" } ] @@ -6064,8 +5302,8 @@ }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6081,7 +5319,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", "is present": "true" } ] @@ -6094,8 +5332,8 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6111,7 +5349,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", + "check": "$.metadata.openid_provider.scopes_supported", "is present": "true" } ] @@ -6124,8 +5362,8 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6141,7 +5379,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "check": "$.metadata.openid_provider.subject_types_supported", "is present": "true" } ] @@ -6154,8 +5392,8 @@ }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -6171,7 +5409,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", + "check": "$.metadata.openid_provider.token_endpoint", "is present": "true" } ] @@ -6184,8 +5422,8 @@ }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6201,7 +5439,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -6214,8 +5452,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -6231,7 +5469,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -6364,8 +5602,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" @@ -6376,13 +5614,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" } ] } @@ -6394,8 +5632,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -6403,18 +5641,11 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported.value", - "is": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -6424,27 +5655,20 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", - "is": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -6454,27 +5678,20 @@ }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is": "X_url_OP" - } - ] + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] } @@ -6484,8 +5701,8 @@ }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", "type": "passive", "sessions": [ "s1" @@ -6495,9 +5712,9 @@ "message type": "Token response", "checks": [ { - "in": "head", - "check": "Content-Type", - "is": "application/json" + "in": "body", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -6507,8 +5724,8 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", "type": "passive", "sessions": [ "s1" @@ -6519,8 +5736,8 @@ "checks": [ { "in": "body", - "check": "token_type", - "is": "Bearer" + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -6530,19 +5747,19 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "in": "body", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", "is present": "true" } ] @@ -6553,20 +5770,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] + } + ] } ] } @@ -6576,20 +5807,31 @@ }, { "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -6599,20 +5841,28 @@ }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] } ] } @@ -6622,20 +5872,28 @@ }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.cty", + "is present": "true" + } + ] } ] } @@ -6645,20 +5903,28 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.enc", + "is present": "true" + } + ] } ] } @@ -6668,20 +5934,28 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -6691,20 +5965,29 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -6714,20 +5997,32 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -6737,20 +6032,32 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -6760,20 +6067,32 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -6783,20 +6102,32 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -6806,20 +6137,29 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -6829,20 +6169,32 @@ }, { "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -6852,20 +6204,27 @@ }, { "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "expires_in" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -6875,20 +6234,27 @@ }, { "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "id_token" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -6898,20 +6264,27 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] } ] } @@ -6921,20 +6294,27 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + } + ] } ] } @@ -6944,8 +6324,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" @@ -6956,13 +6336,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" } ] } @@ -6974,8 +6354,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -6986,13 +6366,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -7004,8 +6384,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -7021,8 +6401,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } @@ -7034,8 +6414,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -7046,13 +6426,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -7064,8 +6444,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -7081,8 +6461,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -7094,25 +6474,25 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -7124,25 +6504,25 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.authority_hints", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -7154,25 +6534,25 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -7184,8 +6564,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" @@ -7200,9 +6580,9 @@ "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -7214,8 +6594,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -7230,9 +6610,9 @@ "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -7244,8 +6624,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" @@ -7260,9 +6640,9 @@ "type": "jwt", "checks": [ { - "in": "header", - "check": "$.typ", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -7274,8 +6654,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -7286,13 +6666,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -7304,8 +6684,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -7316,13 +6696,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -7334,8 +6714,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" @@ -7346,13 +6726,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } @@ -7364,8 +6744,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", "type": "passive", "sessions": [ "s1" @@ -7376,13 +6756,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } @@ -7394,25 +6774,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.sub", + "is": "X_url_OP" } ] } @@ -7424,25 +6804,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" } ] } @@ -7454,25 +6834,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is present": "true" + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" } ] } @@ -7484,25 +6864,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } @@ -7514,24 +6894,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.exp", "is present": "true" } ] @@ -7544,24 +6924,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.iat", "is present": "true" } ] @@ -7574,24 +6954,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", + "check": "$.iss", "is present": "true" } ] @@ -7604,24 +6984,24 @@ }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.at_hash", + "check": "$.jwks", "is present": "true" } ] @@ -7634,24 +7014,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata", "is present": "true" } ] @@ -7664,24 +7044,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.sub", "is present": "true" } ] @@ -7694,24 +7074,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.authority_hints", "is present": "true" } ] @@ -7724,24 +7104,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.trust_marks", "is present": "true" } ] @@ -7754,8 +7134,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" @@ -7766,12 +7146,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.jti", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -7784,8 +7164,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -7796,12 +7176,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.nonce", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -7814,8 +7194,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", "type": "passive", "sessions": [ "s1" @@ -7826,12 +7206,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.sub", + "in": "header", + "check": "$.typ", "is present": "true" } ] @@ -7844,20 +7224,27 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "code" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -7867,20 +7254,27 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "state" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.client_id", + "is present": "true" + } + ] } ] } @@ -7890,20 +7284,27 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -7913,21 +7314,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_OP" + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -7937,8 +7344,8 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" @@ -7951,7 +7358,13 @@ "from": "body", "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -7961,8 +7374,8 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -7973,9 +7386,15 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } @@ -7985,29 +7404,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$.scope", + "is present": "true" } ] } @@ -8019,27 +7434,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -8051,28 +7464,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -8084,28 +7494,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -8117,28 +7524,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.acr", + "is present": "true" } ] } @@ -8150,28 +7554,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.at_hash", + "is present": "true" } ] } @@ -8183,27 +7584,25 @@ }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" } ] } @@ -8215,28 +7614,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -8248,27 +7644,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", - "is in": [ - "private_key_jwt" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -8280,28 +7674,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -8313,28 +7704,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.jti", + "is present": "true" } ] } @@ -8346,27 +7734,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported[0]", - "is in": [ - "automatic" - ] + "check": "$.nonce", + "is present": "true" } ] } @@ -8378,28 +7764,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -8411,29 +7794,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -8443,29 +7817,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -8475,32 +7840,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -8510,29 +7863,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -8542,30 +7886,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -8575,30 +7909,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -8608,30 +7932,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "message type": "UserInfo response", + "checks": [ + { + "in": "head", + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -8641,31 +7955,21 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] - } - ] + "jwt check sig": "X_key_OP" } ] } @@ -8675,21 +7979,21 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "jwt check sig": "X_key_core_OP" } ] } @@ -8699,21 +8003,21 @@ }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "jwt check sig": "X_key_core_OP" } ] } @@ -8759,28 +8063,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.cty", - "is": "JWT" - } - ] + "in": "head", + "check": "Content-Type", + "is": "application/json" } ] } @@ -8790,28 +8086,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is present": "true" - } - ] + "in": "body", + "check": "token_type", + "is": "Bearer" } ] } @@ -8821,8 +8109,8 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" @@ -8840,7 +8128,7 @@ { "in": "header", "check": "$.cty", - "is present": "true" + "is": "JWT" } ] } @@ -8852,28 +8140,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.enc", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -8883,28 +8163,43 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.kid", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -8984,26 +8279,27 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" + "in": "header", + "check": "$.alg", + "is in": [ + "RS256", + "RS512" ] } ] @@ -9016,20 +8312,20 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Entity Configuration response TA", "checks": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -9039,20 +8335,20 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Entity Configuration response TA", "checks": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -9062,20 +8358,63 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", + "is subset of": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is subset of": [ + "S256" + ] + } + ] } ] } @@ -9085,32 +8424,27 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", + "is subset of": [ + "refresh_token", + "authorization_code" ] } ] @@ -9123,27 +8457,27 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", - "is in": [ - "consent", - "consent login" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -9156,31 +8490,27 @@ }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -9193,25 +8523,28 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -9223,25 +8556,28 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" + ] } ] } @@ -9253,15 +8589,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -9270,8 +8606,10 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" + ] } ] } @@ -9283,15 +8621,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -9300,8 +8638,10 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -9313,15 +8653,15 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -9330,8 +8670,13 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -9343,25 +8688,27 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" + ] } ] } @@ -9373,25 +8720,27 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -9403,25 +8752,28 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -9433,15 +8785,15 @@ }, { "test": { - "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -9450,8 +8802,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -9463,15 +8818,15 @@ }, { "test": { - "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", - "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -9480,8 +8835,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -9493,25 +8851,28 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -9523,25 +8884,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -9553,15 +8916,15 @@ }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -9570,8 +8933,11 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -9583,25 +8949,28 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -9613,25 +8982,27 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -9643,25 +9014,27 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" + ] } ] } @@ -9673,25 +9046,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -9703,25 +9078,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -9733,25 +9110,28 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -9763,25 +9143,27 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -9793,25 +9175,28 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -9823,25 +9208,27 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -9853,25 +9240,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" + ] } ] } @@ -9883,25 +9273,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -9913,25 +9306,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -9943,25 +9339,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'grant_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -9973,25 +9372,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -10003,25 +9404,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.signed_jwks_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -10033,25 +9436,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -10063,25 +9469,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -10093,25 +9502,28 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -10123,27 +9535,21 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -10153,85 +9559,116 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -10243,25 +9680,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -10273,25 +9717,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -10303,25 +9754,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -10333,25 +9791,32 @@ }, { "test": { - "name": "Does the RP metadata contain correct value of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is": "x_https_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -10363,25 +9828,32 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -10393,20 +9865,34 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] + } + ] } ] } @@ -10416,20 +9902,34 @@ }, { "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_url_RP" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] } ] } @@ -10439,20 +9939,34 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -10462,20 +9976,34 @@ }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -10485,20 +10013,34 @@ }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_https_RP" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] } ] } @@ -10508,20 +10050,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -10531,20 +10087,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] } ] } @@ -10554,20 +10124,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] } ] } @@ -10577,20 +10161,34 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] } ] } @@ -10600,20 +10198,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -10623,20 +10235,34 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -10646,20 +10272,34 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -10669,20 +10309,34 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -10692,20 +10346,34 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -10715,20 +10383,34 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -10738,20 +10420,34 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -10761,20 +10457,34 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] + } + ] } ] } @@ -10784,20 +10494,34 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] } ] } @@ -10807,20 +10531,34 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -10830,20 +10568,34 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -10853,20 +10605,34 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] } ] } @@ -10876,20 +10642,34 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -10899,20 +10679,34 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] } ] } @@ -10922,20 +10716,34 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] } ] } @@ -10945,20 +10753,34 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] } ] } @@ -10968,20 +10790,34 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -10991,20 +10827,34 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] + } + ] } ] } @@ -11014,20 +10864,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.constraints.max_path_length", + "is present": "true" + } + ] } ] } @@ -11037,20 +10894,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" + } + ] } ] } @@ -11060,20 +10924,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" + } + ] } ] } @@ -11083,20 +10954,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" + } + ] } ] } @@ -11106,20 +10984,27 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" + } + ] } ] } @@ -11129,20 +11014,27 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" + } + ] } ] } @@ -11152,20 +11044,27 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" + } + ] } ] } @@ -11175,20 +11074,27 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "grant_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" + } + ] } ] } @@ -11198,20 +11104,27 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" + } + ] } ] } @@ -11221,20 +11134,27 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" + } + ] } ] } @@ -11244,24 +11164,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", "is present": "true" } ] @@ -11274,24 +11194,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", "is present": "true" } ] @@ -11304,24 +11224,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", "is present": "true" } ] @@ -11334,24 +11254,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", "is present": "true" } ] @@ -11364,24 +11284,24 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", "is present": "true" } ] @@ -11394,24 +11314,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", "is present": "true" } ] @@ -11424,24 +11344,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", "is present": "true" } ] @@ -11454,24 +11374,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.jwks", "is present": "true" } ] @@ -11484,24 +11404,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.redirect_uri", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", "is present": "true" } ] @@ -11514,24 +11434,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.response_type", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", "is present": "true" } ] @@ -11544,24 +11464,24 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -11574,24 +11494,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.state", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", "is present": "true" } ] @@ -11604,24 +11524,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.ui_locales", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", "is present": "true" } ] @@ -11634,24 +11554,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -11664,24 +11584,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", "is present": "true" } ] @@ -11694,24 +11614,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -11724,24 +11644,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", "is present": "true" } ] @@ -11754,24 +11674,24 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -11784,24 +11704,24 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -11814,24 +11734,24 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -11844,24 +11764,24 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -11874,24 +11794,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -11904,24 +11824,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -11934,24 +11854,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -11964,24 +11884,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -11994,24 +11914,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", "is present": "true" } ] @@ -12024,24 +11944,24 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -12054,22 +11974,26 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is present": "true" + } ] } ] @@ -12080,15 +12004,15 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -12097,13 +12021,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is present": "true" } ] } @@ -12115,15 +12034,15 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -12132,10 +12051,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" } ] } @@ -12147,15 +12064,15 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -12164,13 +12081,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is present": "true" } ] } @@ -12182,21 +12094,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_RP" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -12206,21 +12124,27 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_core_RP" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is present": "true" + } + ] } ] } @@ -12230,15 +12154,15 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -12247,10 +12171,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is present": "true" } ] } @@ -12262,30 +12184,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -12295,30 +12207,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -12328,30 +12230,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -12361,30 +12253,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Statement response TA OP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -12394,29 +12276,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -12426,30 +12299,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -12459,30 +12322,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -12492,30 +12345,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Public Keys History response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -12525,26 +12368,26 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -12557,21 +12400,32 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -12581,25 +12435,25 @@ }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ "none", "HS256", "HS384", @@ -12616,8 +12470,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -12633,11 +12487,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -12650,8 +12502,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -12667,9 +12519,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -12682,8 +12537,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -12699,10 +12554,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -12715,15 +12572,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -12732,10 +12589,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -12748,15 +12604,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -12765,10 +12621,12 @@ "checks": [ { "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -12781,15 +12639,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -12798,10 +12656,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -12814,15 +12671,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -12831,10 +12688,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -12847,15 +12706,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -12864,9 +12723,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -12879,15 +12738,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -12896,9 +12755,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -12911,15 +12773,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -12928,12 +12790,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -12946,15 +12805,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -12963,9 +12822,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -12978,15 +12840,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -12995,10 +12857,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -13010,15 +12870,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -13027,11 +12887,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -13043,15 +12900,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -13060,11 +12917,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -13076,15 +12930,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -13093,11 +12947,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -13109,28 +12960,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -13142,27 +12990,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -13174,15 +13020,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -13191,11 +13037,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -13207,15 +13050,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13224,10 +13067,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" } ] } @@ -13239,15 +13080,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13256,11 +13097,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -13272,15 +13110,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13289,10 +13127,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -13304,15 +13140,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13321,10 +13157,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" - ] + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } @@ -13336,15 +13170,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13353,10 +13187,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13368,15 +13200,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13385,11 +13217,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13401,15 +13230,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13418,10 +13247,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13433,15 +13260,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13450,11 +13277,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13466,15 +13290,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13483,10 +13307,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -13498,15 +13320,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13515,10 +13337,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13530,15 +13350,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13547,11 +13367,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" - ] + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13563,15 +13380,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13580,11 +13397,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -13596,15 +13410,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13613,11 +13427,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -13629,15 +13440,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13646,11 +13457,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13662,15 +13470,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13679,10 +13487,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13694,15 +13500,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13711,11 +13517,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13727,15 +13530,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13744,11 +13547,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13760,15 +13560,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13777,11 +13577,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13793,8 +13590,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -13810,10 +13607,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13825,15 +13620,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -13842,13 +13637,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -13860,15 +13650,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -13877,13 +13667,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } @@ -13895,8 +13680,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -13909,13 +13694,12 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -13927,30 +13711,26 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -13962,15 +13742,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does entity configuration TA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -13979,13 +13759,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.sub", + "is": "X_url_TA" } ] } @@ -13997,15 +13772,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -14014,10 +13789,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -14029,15 +13802,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -14046,13 +13819,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -14064,15 +13832,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -14081,10 +13849,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -14096,15 +13862,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -14113,13 +13879,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -14131,15 +13892,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -14148,10 +13909,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata", + "is present": "true" } ] } @@ -14163,15 +13922,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -14180,13 +13939,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -14198,15 +13952,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -14215,10 +13969,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] + "check": "$.constraints", + "is present": "true" } ] } @@ -14230,15 +13982,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -14247,13 +13999,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -14265,15 +14012,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -14282,11 +14029,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$.trust_mark_issuers", + "is present": "true" } ] } @@ -14298,15 +14042,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -14315,11 +14059,8 @@ "checks": [ { "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$.constraints", + "is present": "true" } ] } @@ -14331,15 +14072,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -14348,8 +14089,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -14361,15 +14102,15 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -14378,8 +14119,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -14391,15 +14132,15 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -14408,8 +14149,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -14421,25 +14162,25 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -14451,25 +14192,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -14481,15 +14222,15 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -14498,8 +14239,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "check": "$.sub", + "is present": "true" } ] } @@ -14511,15 +14252,15 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -14528,8 +14269,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "check": "$.trust_marks", + "is present": "true" } ] } @@ -14541,15 +14282,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14558,8 +14299,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "check": "$.constraints", + "is present": "true" } ] } @@ -14571,15 +14312,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14588,8 +14329,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -14601,15 +14342,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14618,8 +14359,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -14631,15 +14372,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14648,8 +14389,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -14661,15 +14402,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14678,8 +14419,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -14691,15 +14432,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14708,8 +14449,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -14721,15 +14462,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14738,8 +14479,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -14751,15 +14492,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14768,8 +14509,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "check": "$.sub", + "is present": "true" } ] } @@ -14781,15 +14522,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14798,8 +14539,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.trust_marks", + "is present": "true" } ] } @@ -14811,27 +14552,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -14841,8 +14576,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" @@ -14855,13 +14590,7 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -14871,27 +14600,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -14901,8 +14624,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" @@ -14913,13 +14636,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -14931,8 +14661,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" @@ -14943,13 +14673,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -14961,8 +14698,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -14973,13 +14710,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } + ] } ] } @@ -14991,8 +14735,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -15003,13 +14747,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -15021,8 +14772,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -15033,13 +14784,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -15051,8 +14809,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -15063,13 +14821,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -15081,8 +14846,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -15093,13 +14858,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -15111,25 +14883,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -15141,25 +14920,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -15171,25 +14957,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -15201,25 +14994,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -15231,25 +15031,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -15261,25 +15068,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -15291,25 +15105,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -15321,25 +15142,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -15351,25 +15179,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -15381,25 +15216,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -15411,25 +15253,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] } ] } @@ -15441,25 +15290,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -15471,25 +15327,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -15501,25 +15364,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -15531,25 +15401,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -15561,25 +15438,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -15591,25 +15475,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -15621,25 +15512,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is present": "true" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -15651,25 +15549,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -15681,25 +15586,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -15711,25 +15623,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -15741,25 +15660,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -15771,25 +15697,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -15801,8 +15734,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" @@ -15813,13 +15746,16 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -15831,25 +15767,28 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is present": "true" + "check": "$.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -15861,27 +15800,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -15891,27 +15823,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -15921,27 +15846,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -15951,85 +15870,116 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -16041,25 +15991,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -16071,25 +16028,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -16101,25 +16065,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -16131,25 +16102,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -16161,25 +16139,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -16191,25 +16176,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -16221,25 +16213,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -16251,25 +16250,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -16281,25 +16287,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -16310,26 +16323,33 @@ } }, { - "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "test": { + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -16341,25 +16361,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -16371,25 +16398,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -16401,25 +16435,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -16431,25 +16472,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -16461,25 +16509,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -16491,25 +16546,32 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -16521,20 +16583,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -16544,20 +16620,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -16567,20 +16657,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -16590,20 +16694,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -16613,20 +16731,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -16636,20 +16768,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] } ] } @@ -16659,20 +16805,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -16682,20 +16842,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] + } + ] } ] } @@ -16705,20 +16879,34 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] + } + ] } ] } @@ -16728,20 +16916,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -16751,26 +16953,32 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -16782,26 +16990,32 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -16813,25 +17027,32 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -16843,25 +17064,32 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -16873,25 +17101,32 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -16903,45 +17138,42 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "client_assertion", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response TA", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -16949,9 +17181,10 @@ "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -16963,15 +17196,42 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -16979,9 +17239,10 @@ "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -16993,24 +17254,24 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -17023,24 +17284,24 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -17053,24 +17314,24 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -17083,24 +17344,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -17113,24 +17374,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -17143,24 +17404,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -17173,24 +17434,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -17203,24 +17464,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -17233,24 +17494,24 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -17263,27 +17524,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -17293,27 +17547,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -17323,27 +17570,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -17353,27 +17593,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -17383,27 +17616,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -17413,27 +17639,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -17443,15 +17662,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -17460,8 +17679,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -17473,15 +17692,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -17490,8 +17709,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -17503,15 +17722,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -17520,8 +17739,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -17533,25 +17752,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -17563,25 +17782,25 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -17593,32 +17812,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -17630,32 +17842,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -17667,32 +17872,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -17704,32 +17902,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -17741,32 +17932,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -17778,32 +17962,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -17815,32 +17992,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -17852,32 +18023,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -17889,32 +18054,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does entity configuration SA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_SA" } ] } @@ -17926,32 +18084,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -17963,32 +18114,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -18000,32 +18144,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -18037,32 +18174,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -18074,32 +18204,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -18111,32 +18234,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -18148,32 +18264,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -18185,32 +18294,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -18222,32 +18324,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -18259,32 +18354,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -18296,32 +18384,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -18333,32 +18414,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -18370,32 +18444,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -18407,32 +18474,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -18444,32 +18504,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -18481,32 +18534,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -18518,32 +18564,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -18555,32 +18594,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -18592,32 +18624,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -18629,32 +18654,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -18666,32 +18684,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -18703,32 +18714,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -18740,32 +18744,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -18777,34 +18774,21 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -18814,21 +18798,21 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "jwt check sig": "X_key_SA" } ] } @@ -18838,21 +18822,21 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "jwt check sig": "X_key_SA" } ] } @@ -18862,21 +18846,34 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] + } + ] } ] } @@ -18886,15 +18883,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -18904,15 +18901,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -18921,22 +18915,20 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -18946,15 +18938,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -18963,28 +18952,39 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] + } + ] } ] } @@ -18994,15 +18994,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19012,12 +19012,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -19031,15 +19031,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19054,7 +19054,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -19068,15 +19068,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19091,7 +19091,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -19105,15 +19105,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19128,7 +19128,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -19142,15 +19142,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19165,7 +19165,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -19179,15 +19179,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19202,7 +19202,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -19216,15 +19216,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19234,12 +19234,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -19253,15 +19253,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19276,7 +19276,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -19290,15 +19290,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19308,12 +19308,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -19327,15 +19327,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19350,7 +19350,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -19364,15 +19364,15 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19387,7 +19387,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -19401,15 +19401,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19424,7 +19424,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -19438,15 +19438,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -19461,7 +19461,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -19475,15 +19475,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19498,7 +19498,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -19512,15 +19512,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19530,12 +19530,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -19549,15 +19549,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19567,12 +19567,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -19587,14 +19587,14 @@ { "test": { "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19623,15 +19623,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19641,12 +19641,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -19660,15 +19660,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19683,7 +19683,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -19697,15 +19697,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19720,7 +19720,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -19734,15 +19734,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19757,7 +19757,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -19771,15 +19771,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19794,7 +19794,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -19808,15 +19808,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19831,7 +19831,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -19853,7 +19853,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19863,7 +19863,7 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", @@ -19883,14 +19883,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19905,7 +19905,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -19927,7 +19927,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19937,7 +19937,7 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", @@ -19956,15 +19956,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -19979,7 +19979,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -19993,15 +19993,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -20016,7 +20016,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -20030,15 +20030,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -20053,7 +20053,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -20067,15 +20067,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -20090,7 +20090,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -20104,8 +20104,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -20113,23 +20113,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -20139,8 +20127,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -20148,23 +20136,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -20174,8 +20150,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -20186,13 +20162,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -20204,8 +20183,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -20216,13 +20195,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -20234,8 +20215,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -20246,13 +20227,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -20264,8 +20248,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -20273,18 +20257,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -20294,8 +20272,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20306,13 +20284,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "is present": "true" } ] } @@ -20324,8 +20302,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20336,13 +20314,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -20354,8 +20332,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20366,13 +20344,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "is present": "true" } ] } @@ -20384,8 +20362,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20396,13 +20374,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -20414,8 +20392,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20426,13 +20404,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -20444,8 +20422,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20456,13 +20434,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "is present": "true" } ] } @@ -20474,8 +20452,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20486,13 +20464,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -20504,8 +20482,8 @@ }, { "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20521,7 +20499,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", + "check": "$.metadata.oauth_authorization_server.issuer", "is present": "true" } ] @@ -20534,8 +20512,8 @@ }, { "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20551,7 +20529,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.oauth_authorization_server.jwks", "is present": "true" } ] @@ -20564,8 +20542,8 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20581,7 +20559,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -20594,8 +20572,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20611,7 +20589,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.oauth_authorization_server.op_policy_uri", "is present": "true" } ] @@ -20624,8 +20602,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20641,7 +20619,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.metadata.oauth_authorization_server.op_tos_uri", "is present": "true" } ] @@ -20654,8 +20632,8 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20671,7 +20649,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -20684,8 +20662,8 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20701,7 +20679,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -20714,8 +20692,8 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20731,7 +20709,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", + "check": "$.metadata.oauth_resource.resource", "is present": "true" } ] @@ -20744,8 +20722,8 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20761,7 +20739,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", + "check": "$.metadata.oauth_authorization_server.response_types_supported", "is present": "true" } ] @@ -20774,8 +20752,8 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20791,7 +20769,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.oauth_authorization_server.scopes_supported", "is present": "true" } ] @@ -20804,8 +20782,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20821,7 +20799,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "check": "$.metadata.oauth_authorization_server.token_endpoint", "is present": "true" } ] @@ -20834,8 +20812,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20851,7 +20829,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -20864,8 +20842,8 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20881,7 +20859,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -20894,8 +20872,8 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -20903,18 +20881,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -20924,27 +20895,20 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_resource.resource", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -20954,8 +20918,8 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -20966,13 +20930,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -20983,9 +20952,9 @@ } }, { - "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "test": { + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -20996,13 +20965,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -21014,8 +20988,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -21026,13 +21000,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" } ] } @@ -21044,8 +21018,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -21056,13 +21030,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -21074,8 +21048,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -21086,13 +21060,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -21104,8 +21078,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -21116,13 +21090,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" } ] } @@ -21134,8 +21108,8 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -21143,11 +21117,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + } + ] } ] } @@ -21157,8 +21138,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -21166,11 +21147,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + } + ] } ] } @@ -21180,8 +21168,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -21189,11 +21177,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] } ] } @@ -21203,20 +21198,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + } + ] } ] } @@ -21226,8 +21228,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21243,8 +21245,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -21256,8 +21258,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21273,8 +21275,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -21286,8 +21288,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -21303,8 +21305,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -21316,8 +21318,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does entity configuration AA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -21333,8 +21335,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -21346,8 +21348,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the AA metadata contain op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", "type": "passive", "sessions": [ "s1" @@ -21358,12 +21360,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$..metadata.openid_provider.op_policy_uri", "is present": "true" } ] @@ -21376,8 +21378,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the AA's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -21393,7 +21395,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.trust_marks", "is present": "true" } ] @@ -21406,8 +21408,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21423,7 +21425,7 @@ "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.exp", "is present": "true" } ] @@ -21436,8 +21438,8 @@ }, { "test": { - "name": "Does the AA metadata contain op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21448,12 +21450,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata.openid_provider.op_policy_uri", + "check": "$.iat", "is present": "true" } ] @@ -21466,8 +21468,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21480,7 +21482,13 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_AA" + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -21490,8 +21498,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21502,16 +21510,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.jwks", + "is present": "true" } ] } @@ -21523,8 +21528,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21535,15 +21540,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata", + "is present": "true" } ] } @@ -21555,8 +21558,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -21567,16 +21570,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -21588,8 +21588,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -21597,12 +21597,12 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_AA" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json index 93afcff..07707dc 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -16,43 +16,11 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ - { - "message type": "Introspection request", "checks": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -62,20 +30,20 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Entity Configuration response RP", "checks": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -85,20 +53,42 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", - "type": "passive", + "name": "Does the JWT payload contain a correct sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Token request", - "checks": [ + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ], + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.sub", + "contains": "saved_iss" + } + ] } ] } @@ -108,32 +98,26 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.metadata.openid_relying_party.client_registration_types[0]", "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + "automatic" ] } ] @@ -146,27 +130,27 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.metadata.openid_relying_party.grant_types[0]", "is in": [ - "consent", - "consent login" + "authorization_code", + "refresh_token" ] } ] @@ -179,31 +163,27 @@ }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -216,25 +196,28 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -246,25 +229,28 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -276,8 +262,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" @@ -288,13 +274,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] } ] } @@ -306,8 +294,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -318,13 +306,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -336,8 +327,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" @@ -348,13 +339,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -366,8 +360,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -378,13 +372,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -396,8 +393,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" @@ -408,13 +405,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] } ] } @@ -426,8 +425,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -435,18 +434,12 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -456,14 +449,41 @@ }, { "test": { - "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.client_id", + "as": "client_id" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { @@ -472,9 +492,10 @@ "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" + "check": "$.metadata.openid_relying_party.client_id", + "contains": "client_id" } ] } @@ -486,14 +507,41 @@ }, { "test": { - "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", - "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { @@ -502,9 +550,10 @@ "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + "check": "$.metadata.openid_relying_party.client_id", + "contains": "iss" } ] } @@ -516,25 +565,53 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.redirect_uri", + "as": "redirect_uris" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_relying_party.redirect_uris", + "contains": "redirect_uris" } ] } @@ -546,25 +623,53 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.response_type", + "as": "response_types_supported" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + "check": "$.metadata.openid_relying_party.response_types[0]", + "contains": "response_types_supported" } ] } @@ -576,25 +681,53 @@ }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", - "type": "passive", + "name": "Does the JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.metadata.openid_relying_party.client_id", + "as": "client_id" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + "check": "$.iss", + "contains": "client_id" } ] } @@ -606,25 +739,53 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", - "type": "passive", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + "check": "$.aud[0]", + "contains": "saved_iss" } ] } @@ -636,85 +797,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token request", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" } ] } @@ -846,8 +947,8 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -863,7 +964,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.openid_relying_party.grant_types", "is present": "true" } ] @@ -876,8 +977,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -893,7 +994,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -906,8 +1007,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -923,7 +1024,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", "is present": "true" } ] @@ -936,8 +1037,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -953,7 +1054,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", "is present": "true" } ] @@ -966,8 +1067,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'grant_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -983,7 +1084,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", "is present": "true" } ] @@ -1026,8 +1127,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ "s1" @@ -1043,7 +1144,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "check": "$.metadata.openid_relying_party.jwks", "is present": "true" } ] @@ -1056,8 +1157,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1073,7 +1174,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -1086,8 +1187,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1103,7 +1204,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -1116,8 +1217,8 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1133,7 +1234,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -1146,8 +1247,8 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1163,7 +1264,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata.openid_relying_party.redirect_uris", "is present": "true" } ] @@ -1176,8 +1277,8 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1193,7 +1294,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", "is present": "true" } ] @@ -1356,8 +1457,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct value of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -1365,18 +1466,11 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is": "x_https_RP" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1386,27 +1480,20 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is": "X_url_RP" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1416,8 +1503,8 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ "s_CIE_introsp" @@ -1428,8 +1515,8 @@ "checks": [ { "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1439,20 +1526,20 @@ }, { "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Revocation request", "checks": [ { "in": "body", - "check": "client_id", - "is": "X_url_RP" + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -1462,8 +1549,8 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" @@ -1474,8 +1561,8 @@ "checks": [ { "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1485,8 +1572,8 @@ }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ "s1" @@ -1497,8 +1584,8 @@ "checks": [ { "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1508,8 +1595,8 @@ }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" @@ -1519,9 +1606,9 @@ "message type": "Token request", "checks": [ { - "in": "body", - "check": "client_id", - "is": "X_https_RP" + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -1531,54 +1618,31 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", - "type": "active", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ - { - "from": "body", - "value": "https://example.com", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "UserInfo request", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" @@ -1586,11 +1650,20 @@ "operations": [ { "message type": "Entity Configuration response RP", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -1600,8 +1673,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1609,11 +1682,18 @@ "operations": [ { "message type": "Entity Configuration response RP", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -1623,8 +1703,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1632,11 +1712,18 @@ "operations": [ { "message type": "Entity Configuration response RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -1646,20 +1733,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] } ] } @@ -1669,20 +1763,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + } + ] } ] } @@ -1692,20 +1793,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + } + ] } ] } @@ -1715,20 +1823,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + } + ] } ] } @@ -1738,20 +1853,27 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + } + ] } ] } @@ -1761,20 +1883,27 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + } + ] } ] } @@ -1784,20 +1913,27 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] } ] } @@ -1807,20 +1943,27 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" + } + ] } ] } @@ -1830,20 +1973,27 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] } ] } @@ -1853,43 +2003,57 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" - } - ] - } + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + } + ] + } + ] + } ], "result": "correct flow s1" } }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + } + ] } ] } @@ -1899,20 +2063,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + } + ] } ] } @@ -1922,20 +2093,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -1945,20 +2123,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -1968,66 +2153,73 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", - "type": "passive", + "name": "Does the Revocation Request contain correct client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "value": "https://example.com", + "edit regex": "(?<=client_id=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ + }, { - "message type": "Introspection request", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "is present": true, - "check regex": "token" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does entity configuration RP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is": "X_url_RP" + } + ] } ] } @@ -2037,20 +2229,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" + } + ] } ] } @@ -2060,20 +2259,23 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Token request", "checks": [ { "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -2083,20 +2285,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -2106,20 +2315,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -2129,20 +2345,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -2152,20 +2375,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -2175,20 +2405,27 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] } ] } @@ -2198,20 +2435,27 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -2221,20 +2465,27 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.acr_values", + "is present": "true" + } + ] } ] } @@ -2244,20 +2495,27 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "grant_type" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -2267,20 +2525,27 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -2290,20 +2555,27 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.client_id", + "is present": "true" + } + ] } ] } @@ -2313,53 +2585,55 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", - "type": "active", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", "decode operations": [ { "from": "url", "decode param": "request", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.client_id", - "as": "client_id" + "in": "header", + "check": "$.kid", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "client_id" + "check": "$.iat", + "is present": "true" } ] } @@ -2371,53 +2645,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", "decode operations": [ { "from": "url", "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.redirect_uri", - "as": "redirect_uris" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "contains": "redirect_uris" + "check": "$.iss", + "is present": "true" } ] } @@ -2429,53 +2675,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", "decode operations": [ { "from": "url", "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.response_type", - "as": "response_types_supported" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "contains": "response_types_supported" + "check": "$.nonce", + "is present": "true" } ] } @@ -2487,53 +2705,55 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Authentication request", "decode operations": [ { "from": "url", "decode param": "request", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "iss" + "in": "payload", + "check": "$.prompt", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", + { + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "iss" + "check": "$.redirect_uri", + "is present": "true" } ] } @@ -2545,53 +2765,25 @@ }, { "test": { - "name": "Does the JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.metadata.openid_relying_party.client_id", - "as": "client_id" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "client_id" + "check": "$.response_type", + "is present": "true" } ] } @@ -2603,53 +2795,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", - "type": "active", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.aud[0]", - "contains": "saved_iss" + "check": "$.scope", + "is present": "true" } ] } @@ -2661,8 +2825,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2678,7 +2842,7 @@ "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.state", "is present": "true" } ] @@ -2691,8 +2855,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" @@ -2708,7 +2872,7 @@ "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.ui_locales", "is present": "true" } ] @@ -2721,24 +2885,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.trust_marks", "is present": "true" } ] @@ -2751,24 +2915,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.aud", "is present": "true" } ] @@ -2781,24 +2945,24 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.exp", "is present": "true" } ] @@ -2811,19 +2975,19 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { @@ -2841,24 +3005,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", + "check": "$.iss", "is present": "true" } ] @@ -2871,24 +3035,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.jti", "is present": "true" } ] @@ -2901,24 +3065,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.redirect_uri", + "check": "$.sub", "is present": "true" } ] @@ -2931,8 +3095,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" @@ -2940,18 +3104,57 @@ "operations": [ { "message type": "Authentication request", - "decode operations": [ + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.response_type", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Authentication request", + "checks": [ + { + "in": "url", + "is present": true, + "check": "code_challenge_method" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Authentication request", + "checks": [ + { + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -2961,8 +3164,8 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" @@ -2970,18 +3173,11 @@ "operations": [ { "message type": "Authentication request", - "decode operations": [ + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.scope", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -2991,27 +3187,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.state", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -3021,27 +3210,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.ui_locales", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -3051,27 +3233,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -3081,27 +3256,20 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -3111,27 +3279,20 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -3141,27 +3302,20 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -3171,27 +3325,20 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -3201,27 +3348,20 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -3231,27 +3371,20 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -3261,27 +3394,43 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -3291,8 +3440,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -3300,18 +3449,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.aud", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -3321,8 +3463,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -3330,18 +3472,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -3351,8 +3486,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -3360,18 +3495,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "code" } ] } @@ -3381,8 +3509,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -3390,18 +3518,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jti", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -3411,8 +3532,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -3420,18 +3541,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -3441,27 +3555,20 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -3471,23 +3578,20 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "UserInfo request", "checks": [ { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" - ] + "in": "head", + "is present": true, + "check param": "Authorization" } ] } @@ -3497,8 +3601,8 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -3509,20 +3613,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -3532,29 +3625,21 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" - ] - } - ] + "jwt check sig": "X_key_core_RP" } ] } @@ -3564,32 +3649,20 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -3599,21 +3672,20 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_RP" + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -3623,8 +3695,8 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -3632,12 +3704,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "jwt check sig": "X_key_core_RP" + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -3647,29 +3718,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] - } - ] + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -3679,30 +3741,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] - } - ] + "in": "body", + "check": "client_id", + "is": "X_url_RP" } ] } @@ -3712,30 +3764,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -3745,30 +3787,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -3778,30 +3810,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "check": "client_id", + "is": "X_https_RP" } ] } @@ -3811,8 +3833,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -3828,9 +3850,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3843,8 +3868,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" @@ -3861,9 +3886,8 @@ { "in": "payload", "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" + "is not in": [ + "RSA_1_5" ] } ] @@ -3876,8 +3900,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -3893,10 +3917,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3909,27 +3935,29 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3942,26 +3970,32 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", + "check": "$.acr_values", "is in": [ - "code" + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" ] } ] @@ -3974,64 +4008,28 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the JWT payload contain a correct sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", - "type": "active", - "sessions": [ - "s1" - ], - "operations": [ - { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ], "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.sub", - "contains": "saved_iss" + "check": "$.prompt", + "is in": [ + "consent", + "consent login" + ] } ] } @@ -4043,8 +4041,8 @@ }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" @@ -4059,13 +4057,15 @@ "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "in": "payload", + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" ] } ] diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json index 9623906..a438b6a 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -16,20 +16,11 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -39,20 +30,20 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Entity Configuration response RP", "checks": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -62,20 +53,29 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] + } + ] } ] } @@ -85,20 +85,30 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] + } + ] } ] } @@ -108,32 +118,27 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -146,27 +151,27 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", "is in": [ - "consent", - "consent login" + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -179,31 +184,27 @@ }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" + "RS256", + "RS512" ] } ] @@ -216,25 +217,27 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] } ] } @@ -246,25 +249,28 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -276,8 +282,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" @@ -288,13 +294,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -306,8 +315,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -318,13 +327,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -336,8 +348,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" @@ -348,13 +360,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] } ] } @@ -366,8 +380,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -375,18 +389,12 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -396,8 +404,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -408,13 +416,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" } ] } @@ -426,8 +434,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -438,13 +446,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + "check": "$.metadata.openid_relying_party.client_registration_types", + "is present": "true" } ] } @@ -456,8 +464,8 @@ }, { "test": { - "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -468,13 +476,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -486,8 +494,8 @@ }, { "test": { - "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", - "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -498,13 +506,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -516,8 +524,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" @@ -528,13 +536,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" } ] } @@ -546,8 +554,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -558,13 +566,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" } ] } @@ -576,8 +584,8 @@ }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -588,13 +596,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -606,25 +614,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is present": "true" } ] } @@ -636,25 +644,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is present": "true" } ] } @@ -666,25 +674,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is present": "true" } ] } @@ -696,8 +704,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -713,7 +721,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", + "check": "$.metadata.openid_relying_party.jwks", "is present": "true" } ] @@ -726,8 +734,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ "s1" @@ -743,7 +751,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", + "check": "$.metadata.openid_relying_party.jwks", "is present": "true" } ] @@ -756,8 +764,8 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -773,7 +781,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -786,8 +794,8 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -803,7 +811,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -816,8 +824,8 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -833,7 +841,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -846,8 +854,8 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -863,7 +871,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.openid_relying_party.redirect_uris", "is present": "true" } ] @@ -876,8 +884,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -893,7 +901,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", "is present": "true" } ] @@ -906,8 +914,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -923,7 +931,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", "is present": "true" } ] @@ -936,8 +944,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -953,7 +961,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", "is present": "true" } ] @@ -966,8 +974,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'grant_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -983,7 +991,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", "is present": "true" } ] @@ -996,8 +1004,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1013,7 +1021,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", "is present": "true" } ] @@ -1026,8 +1034,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" @@ -1043,7 +1051,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "check": "$.metadata.openid_relying_party.response_types", "is present": "true" } ] @@ -1056,8 +1064,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -1065,18 +1073,11 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1086,27 +1087,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1116,27 +1110,20 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1146,27 +1133,20 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" - } - ] + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -1176,29 +1156,22 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" - } - ] - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" + } + ] } ], "result": "correct flow s1" @@ -1206,27 +1179,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is present": "true" - } - ] + "in": "body", + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -1236,27 +1202,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is present": "true" - } - ] + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -1266,27 +1225,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is present": "true" - } - ] + "in": "head", + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1296,8 +1248,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" @@ -1308,13 +1260,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1326,8 +1280,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1338,13 +1292,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1356,8 +1310,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct value of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1368,13 +1322,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is": "x_https_RP" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1386,8 +1340,8 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -1403,8 +1357,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_RP" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1416,20 +1370,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + } + ] } ] } @@ -1439,20 +1400,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_url_RP" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + } + ] } ] } @@ -1462,20 +1430,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + } + ] } ] } @@ -1485,20 +1460,27 @@ }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + } + ] } ] } @@ -1508,20 +1490,27 @@ }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_https_RP" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + } + ] } ] } @@ -1531,8 +1520,8 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -1540,11 +1529,18 @@ "operations": [ { "message type": "Entity Configuration response RP", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] } ] } @@ -1554,8 +1550,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1563,11 +1559,18 @@ "operations": [ { "message type": "Entity Configuration response RP", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" + } + ] } ] } @@ -1577,8 +1580,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -1586,11 +1589,18 @@ "operations": [ { "message type": "Entity Configuration response RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + } + ] } ] } @@ -1600,20 +1610,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + } + ] } ] } @@ -1623,20 +1640,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + } + ] } ] } @@ -1646,20 +1670,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + } + ] } ] } @@ -1669,20 +1700,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -1692,8 +1730,8 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" @@ -1701,11 +1739,18 @@ "operations": [ { "message type": "Token request", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -1715,20 +1760,27 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does entity configuration RP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is": "X_url_RP" + } + ] } ] } @@ -1738,20 +1790,27 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" + } + ] } ] } @@ -1761,20 +1820,23 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "checks": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -1784,20 +1846,27 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -1807,20 +1876,27 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -1830,20 +1906,27 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -1853,20 +1936,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -1876,20 +1966,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] } ] } @@ -1899,20 +1996,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -1922,20 +2026,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.acr_values", + "is present": "true" + } + ] } ] } @@ -1945,20 +2056,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -1968,20 +2086,27 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -1991,20 +2116,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.client_id", + "is present": "true" + } + ] } ] } @@ -2014,20 +2146,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -2037,20 +2176,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -2060,20 +2206,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -2083,20 +2236,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.nonce", + "is present": "true" + } + ] } ] } @@ -2106,20 +2266,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.prompt", + "is present": "true" + } + ] } ] } @@ -2129,20 +2296,27 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.redirect_uri", + "is present": "true" + } + ] } ] } @@ -2152,20 +2326,27 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.response_type", + "is present": "true" + } + ] } ] } @@ -2175,20 +2356,27 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.scope", + "is present": "true" + } + ] } ] } @@ -2198,20 +2386,27 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "grant_type" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.state", + "is present": "true" + } + ] } ] } @@ -2221,20 +2416,27 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.ui_locales", + "is present": "true" + } + ] } ] } @@ -2244,20 +2446,27 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } @@ -2267,24 +2476,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.aud", "is present": "true" } ] @@ -2297,24 +2506,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.exp", "is present": "true" } ] @@ -2327,24 +2536,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.iat", "is present": "true" } ] @@ -2357,24 +2566,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.iss", "is present": "true" } ] @@ -2387,24 +2596,24 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.jti", "is present": "true" } ] @@ -2417,24 +2626,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.sub", "is present": "true" } ] @@ -2447,8 +2656,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" @@ -2456,18 +2665,11 @@ "operations": [ { "message type": "Authentication request", - "decode operations": [ + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.nonce", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -2477,8 +2679,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" @@ -2486,18 +2688,11 @@ "operations": [ { "message type": "Authentication request", - "decode operations": [ + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.prompt", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } @@ -2507,8 +2702,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" @@ -2516,18 +2711,11 @@ "operations": [ { "message type": "Authentication request", - "decode operations": [ + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.redirect_uri", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -2537,8 +2725,8 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" @@ -2546,18 +2734,11 @@ "operations": [ { "message type": "Authentication request", - "decode operations": [ + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.response_type", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -2567,27 +2748,20 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.scope", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -2597,27 +2771,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.state", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -2627,27 +2794,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.ui_locales", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -2657,27 +2817,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -2687,27 +2840,20 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -2717,27 +2863,20 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -2747,27 +2886,20 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -2777,27 +2909,20 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -2807,27 +2932,20 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -2837,27 +2955,20 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "message type": "Revocation request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -2867,27 +2978,20 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -2897,8 +3001,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -2906,18 +3010,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.aud", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -2927,8 +3024,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -2936,18 +3033,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -2957,8 +3047,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -2966,18 +3056,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "code" } ] } @@ -2987,8 +3070,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -2996,18 +3079,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jti", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -3017,8 +3093,8 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" @@ -3026,18 +3102,11 @@ "operations": [ { "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -3047,27 +3116,20 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -3077,23 +3139,20 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "UserInfo request", "checks": [ { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" - ] + "in": "head", + "is present": true, + "check param": "Authorization" } ] } @@ -3103,8 +3162,8 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -3115,20 +3174,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -3138,29 +3186,21 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" - ] - } - ] + "jwt check sig": "X_key_core_RP" } ] } @@ -3170,32 +3210,20 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -3205,21 +3233,43 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_RP" + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "checks": [ + { + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -3229,21 +3279,20 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "jwt check sig": "X_key_core_RP" + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -3253,29 +3302,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] - } - ] + "in": "body", + "check": "client_id", + "is": "X_url_RP" } ] } @@ -3285,30 +3325,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -3318,30 +3348,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -3351,30 +3371,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "check": "client_id", + "is": "X_https_RP" } ] } @@ -3384,8 +3394,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -3402,9 +3412,11 @@ { "in": "payload", "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3417,8 +3429,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" @@ -3434,9 +3446,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" ] } ] @@ -3449,8 +3461,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -3466,10 +3478,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3482,27 +3496,29 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -3515,27 +3531,32 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "check": "$.acr_values", "is in": [ - "RS256", - "RS512" + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" ] } ] @@ -3548,26 +3569,27 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", + "check": "$.prompt", "is in": [ - "code" + "consent", + "consent login" ] } ] @@ -3580,32 +3602,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response RP", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" @@ -3620,13 +3618,15 @@ "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "in": "payload", + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" ] } ] diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response RP-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response RP-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response RP-sub-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-sub-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response RP-sub-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-sub-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json index 76fc8af..8120cab 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -16,18 +16,11 @@ "operations": [ { "message type": "Entity Configuration response SA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -37,8 +30,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -46,18 +39,11 @@ "operations": [ { "message type": "Entity Configuration response SA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -67,8 +53,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -76,18 +62,12 @@ "operations": [ { "message type": "Entity Configuration response SA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -97,85 +77,116 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -187,8 +198,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -199,13 +210,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -217,8 +235,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -229,13 +247,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -247,25 +272,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -277,25 +309,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -307,25 +346,32 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -337,25 +383,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -367,25 +420,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -397,25 +457,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -427,25 +494,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -457,25 +531,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -487,25 +568,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -517,25 +605,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -547,25 +642,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -577,25 +679,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -607,25 +716,32 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -637,20 +753,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -660,20 +790,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -683,20 +827,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -706,20 +864,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -729,20 +901,34 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -752,8 +938,8 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -761,11 +947,25 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -775,20 +975,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] } ] } @@ -798,20 +1012,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -821,26 +1049,32 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -852,8 +1086,8 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -864,14 +1098,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -883,53 +1123,32 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA OP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -941,53 +1160,32 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -999,25 +1197,32 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -1029,25 +1234,32 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -1059,25 +1271,32 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -1089,25 +1308,32 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -1119,14 +1345,41 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response SA", "decode operations": [ { @@ -1135,9 +1388,10 @@ "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -1149,14 +1403,41 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response SA", "decode operations": [ { @@ -1165,9 +1446,10 @@ "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -1179,8 +1461,8 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" @@ -1191,12 +1473,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -1209,24 +1491,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -1239,24 +1521,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -1269,24 +1551,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -1299,24 +1581,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -1329,24 +1611,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -1359,24 +1641,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -1389,24 +1671,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -1419,24 +1701,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -1449,27 +1731,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1479,27 +1754,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1509,27 +1777,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -1539,27 +1800,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1569,8 +1823,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -1578,18 +1832,11 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1599,27 +1846,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1629,15 +1869,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1646,8 +1886,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1659,15 +1899,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1676,8 +1916,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1689,32 +1929,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1726,32 +1959,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1763,32 +1989,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1800,32 +2019,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -1837,8 +2049,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -1849,20 +2061,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1874,8 +2079,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -1886,20 +2091,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1911,32 +2109,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1948,32 +2139,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1985,32 +2169,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -2022,8 +2199,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -2034,20 +2211,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2059,32 +2230,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2095,33 +2260,26 @@ } }, { - "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "test": { + "name": "Does entity configuration SA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_SA" } ] } @@ -2133,32 +2291,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -2170,32 +2321,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -2207,32 +2351,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -2244,32 +2381,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -2281,32 +2411,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -2318,32 +2441,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -2355,32 +2471,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -2392,32 +2501,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -2429,32 +2531,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -2466,32 +2561,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -2503,32 +2591,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -2540,32 +2621,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -2577,32 +2651,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -2614,32 +2681,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -2651,32 +2711,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -2688,8 +2741,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2700,20 +2753,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -2725,8 +2771,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2737,20 +2783,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -2762,8 +2801,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2774,20 +2813,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -2799,8 +2831,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2811,20 +2843,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -2836,8 +2861,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2848,20 +2873,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -2873,21 +2891,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" + } + ] } ] } @@ -2897,21 +2921,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -2921,8 +2951,8 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2935,7 +2965,13 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } @@ -2945,105 +2981,69 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] - } - ] + "jwt check sig": "X_key_SA" } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] - } - ] + "jwt check sig": "X_key_SA" } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_SA" } ] } @@ -3053,8 +3053,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -3076,7 +3076,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -3090,8 +3090,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3108,12 +3108,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -3127,8 +3127,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3145,12 +3145,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -3164,8 +3164,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -3187,7 +3187,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -3201,8 +3201,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3219,12 +3219,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -3238,8 +3238,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3256,12 +3256,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -3275,8 +3275,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -3293,12 +3293,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -3312,8 +3312,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -3330,12 +3330,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -3349,8 +3349,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -3372,7 +3372,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -3534,8 +3534,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -3557,7 +3557,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -3571,8 +3571,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -3594,7 +3594,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -3608,8 +3608,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -3631,7 +3631,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -3645,8 +3645,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -3668,7 +3668,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -3682,8 +3682,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -3705,7 +3705,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -3719,8 +3719,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3737,12 +3737,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -3756,8 +3756,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3774,12 +3774,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -3793,8 +3793,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -3816,7 +3816,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -3830,8 +3830,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3848,12 +3848,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -3867,8 +3867,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3885,12 +3885,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -3904,8 +3904,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -3922,12 +3922,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -3941,8 +3941,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -3959,12 +3959,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -3978,8 +3978,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -4001,7 +4001,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -4163,8 +4163,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -4186,7 +4186,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -4200,8 +4200,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -4223,7 +4223,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -4237,8 +4237,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -4260,7 +4260,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -4274,8 +4274,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -4297,7 +4297,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json index 76fc8af..8120cab 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -16,18 +16,11 @@ "operations": [ { "message type": "Entity Configuration response SA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -37,8 +30,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -46,18 +39,11 @@ "operations": [ { "message type": "Entity Configuration response SA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -67,8 +53,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -76,18 +62,12 @@ "operations": [ { "message type": "Entity Configuration response SA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -97,85 +77,116 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -187,8 +198,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -199,13 +210,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -217,8 +235,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -229,13 +247,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -247,25 +272,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -277,25 +309,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -307,25 +346,32 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -337,25 +383,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -367,25 +420,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -397,25 +457,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -427,25 +494,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -457,25 +531,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -487,25 +568,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -517,25 +605,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -547,25 +642,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -577,25 +679,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -607,25 +716,32 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -637,20 +753,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -660,20 +790,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -683,20 +827,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -706,20 +864,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -729,20 +901,34 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -752,8 +938,8 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -761,11 +947,25 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -775,20 +975,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] + } + ] } ] } @@ -798,20 +1012,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -821,26 +1049,32 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -852,8 +1086,8 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -864,14 +1098,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -883,53 +1123,32 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA OP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -941,53 +1160,32 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -999,25 +1197,32 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -1029,25 +1234,32 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -1059,25 +1271,32 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -1089,25 +1308,32 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -1119,14 +1345,41 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response SA", "decode operations": [ { @@ -1135,9 +1388,10 @@ "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -1149,14 +1403,41 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response SA", "decode operations": [ { @@ -1165,9 +1446,10 @@ "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -1179,8 +1461,8 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" @@ -1191,12 +1473,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -1209,24 +1491,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -1239,24 +1521,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -1269,24 +1551,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -1299,24 +1581,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -1329,24 +1611,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -1359,24 +1641,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -1389,24 +1671,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -1419,24 +1701,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -1449,27 +1731,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.constraints", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1479,27 +1754,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -1509,27 +1777,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -1539,27 +1800,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1569,8 +1823,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -1578,18 +1832,11 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1599,27 +1846,20 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -1629,15 +1869,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1646,8 +1886,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1659,15 +1899,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -1676,8 +1916,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1689,32 +1929,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1726,32 +1959,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1763,32 +1989,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -1800,32 +2019,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -1837,8 +2049,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -1849,20 +2061,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1874,8 +2079,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -1886,20 +2091,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1911,32 +2109,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1948,32 +2139,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1985,32 +2169,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -2022,8 +2199,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -2034,20 +2211,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2059,32 +2230,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -2095,33 +2260,26 @@ } }, { - "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "test": { + "name": "Does entity configuration SA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_SA" } ] } @@ -2133,32 +2291,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -2170,32 +2321,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -2207,32 +2351,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -2244,32 +2381,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -2281,32 +2411,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -2318,32 +2441,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -2355,32 +2471,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -2392,32 +2501,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -2429,32 +2531,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -2466,32 +2561,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -2503,32 +2591,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -2540,32 +2621,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -2577,32 +2651,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -2614,32 +2681,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -2651,32 +2711,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -2688,8 +2741,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2700,20 +2753,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -2725,8 +2771,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2737,20 +2783,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -2762,8 +2801,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2774,20 +2813,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -2799,8 +2831,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2811,20 +2843,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -2836,8 +2861,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2848,20 +2873,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -2873,21 +2891,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" + } + ] } ] } @@ -2897,21 +2921,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -2921,8 +2951,8 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2935,7 +2965,13 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } @@ -2945,105 +2981,69 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] - } - ] + "jwt check sig": "X_key_SA" } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] - } - ] + "jwt check sig": "X_key_SA" } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_SA" } ] } @@ -3053,8 +3053,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -3076,7 +3076,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -3090,8 +3090,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3108,12 +3108,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -3127,8 +3127,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3145,12 +3145,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -3164,8 +3164,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -3187,7 +3187,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -3201,8 +3201,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3219,12 +3219,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -3238,8 +3238,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3256,12 +3256,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -3275,8 +3275,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -3293,12 +3293,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -3312,8 +3312,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -3330,12 +3330,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -3349,8 +3349,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -3372,7 +3372,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -3534,8 +3534,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -3557,7 +3557,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -3571,8 +3571,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -3594,7 +3594,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -3608,8 +3608,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -3631,7 +3631,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -3645,8 +3645,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -3668,7 +3668,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -3682,8 +3682,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -3705,7 +3705,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -3719,8 +3719,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3737,12 +3737,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -3756,8 +3756,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3774,12 +3774,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -3793,8 +3793,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -3816,7 +3816,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -3830,8 +3830,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3848,12 +3848,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -3867,8 +3867,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3885,12 +3885,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -3904,8 +3904,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -3922,12 +3922,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -3941,8 +3941,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -3959,12 +3959,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -3978,8 +3978,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -4001,7 +4001,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -4163,8 +4163,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -4186,7 +4186,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -4200,8 +4200,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -4223,7 +4223,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -4237,8 +4237,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -4260,7 +4260,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -4274,8 +4274,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -4297,7 +4297,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response SA-metadata-logo_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-metadata-logo_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response SA-metadata-logo_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-metadata-logo_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response SA-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response SA-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response SA-sub-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-sub-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response SA-sub-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-sub-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-constraints.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-constraints.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-constraints.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-constraints.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-exp-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-exp-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-exp-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-exp.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-exp.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-exp.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-iat-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-iat-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-iat-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-iat.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-iat.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-iat.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-iss-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-iss-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-iss-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-iss-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-iss.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-iss.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-iss.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-jwks.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-jwks.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-jwks.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-metadata_policy.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-metadata_policy.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-metadata_policy.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-metadata_policy.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-release.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-release.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-release.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-release.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-sub.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-sub.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-sub.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-claims-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-claims-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-claims-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-claims-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-claims.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-claims.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-claims.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-claims.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-email-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-email-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-email-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-email-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-email.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-email.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-email.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-email.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-exp-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-exp-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-exp-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-exp.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-exp.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-exp.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-fiscal_number-or-vat_number.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-fiscal_number-or-vat_number.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-fiscal_number-or-vat_number.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-fiscal_number-or-vat_number.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-iat-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-iat-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-iat-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-iat.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-iat.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-iat.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-id.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-id.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-id.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-id.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-id_code-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-id_code-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-id_code-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-id_code-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-id_code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-id_code.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-id_code.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-id_code.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-ipa_code-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-ipa_code-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-ipa_code-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-ipa_code-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-ipa_code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-ipa_code.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-ipa_code.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-ipa_code.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-iss-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-iss-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-iss-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-iss-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-iss.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-iss.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-iss.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-logo_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-logo_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-logo_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-logo_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-logo_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-logo_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-logo_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-logo_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-organization_name-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-organization_name-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-organization_name-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-organization_name-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-organization_name.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-organization_name.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-organization_name.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-organization_name.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-organization_type-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-organization_type-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-organization_type-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-organization_type-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-organization_type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-organization_type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-organization_type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-organization_type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-policy_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-policy_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-policy_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-policy_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-policy_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-policy_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-policy_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-policy_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-ref-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-ref-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-ref-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-ref-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-ref.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-ref.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-ref.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-ref.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sa_profile-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-sa_profile-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sa_profile-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-sa_profile-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sa_profile.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-sa_profile.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sa_profile.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-sa_profile.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-service_documentation-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-service_documentation-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-service_documentation-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-service_documentation-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-service_documentation.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-service_documentation.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-service_documentation.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-service_documentation.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sub-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-sub-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sub-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-sub-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-sub.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-sub.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-sub.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-tos_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-tos_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-tos_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-tos_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-tos_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-tos_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_mark-tos_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_mark-tos_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_marks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_marks.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA OP-trust_marks.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response OP-trust_marks.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-constraints.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-constraints.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-constraints.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-constraints.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-exp-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-exp-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-exp-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-exp.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-exp.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-exp.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-iat-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-iat-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-iat-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-iat.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-iat.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-iat.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-iss-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-iss-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-iss-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-iss-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-iss.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-iss.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-iss.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-jwks.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-jwks.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-jwks.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-metadata_policy-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-metadata_policy-jwks.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-metadata_policy-jwks.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-metadata_policy-jwks.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-metadata_policy.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-metadata_policy.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-metadata_policy.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-metadata_policy.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-release.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-release.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-release.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-release.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-sub.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-sub.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-sub.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-claims-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-claims-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-claims-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-claims-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-claims.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-claims.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-claims.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-claims.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-email-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-email-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-email-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-email-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-email.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-email.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-email.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-email.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-exp-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-exp-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-exp-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-exp.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-exp.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-exp.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-fiscal_number-or-vat_number.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-fiscal_number-or-vat_number.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-fiscal_number-or-vat_number.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-fiscal_number-or-vat_number.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-iat.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-iat.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-iat.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-id.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-id.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-id.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-id.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-id_code-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-id_code-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-id_code-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-id_code-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-id_code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-id_code.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-id_code.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-id_code.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-ipa_code-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-ipa_code-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-ipa_code-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-ipa_code-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-ipa_code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-ipa_code.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-ipa_code.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-ipa_code.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-iss-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-iss-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-iss-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-iss-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-iss.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-iss.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-iss.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-logo_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-logo_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-logo_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-logo_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-logo_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-logo_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-logo_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-logo_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-organization_name-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-organization_name-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-organization_name-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-organization_name-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-organization_name.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-organization_name.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-organization_name.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-organization_name.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-organization_type-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-organization_type-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-organization_type-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-organization_type-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-organization_type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-organization_type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-organization_type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-organization_type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-policy_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-policy_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-policy_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-policy_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-policy_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-policy_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-policy_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-policy_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-ref-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-ref-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-ref-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-ref-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-ref.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-ref.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-ref.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-ref.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sa_profile-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-sa_profile-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sa_profile-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-sa_profile-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sa_profile.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-sa_profile.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sa_profile.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-sa_profile.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-service_documentation-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-service_documentation-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-service_documentation-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-service_documentation-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-service_documentation.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-service_documentation.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-service_documentation.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-service_documentation.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sub-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-sub-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sub-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-sub-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-sub.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-sub.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-sub.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-tos_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-tos_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-tos_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-tos_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-tos_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-tos_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_mark-tos_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-tos_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_marks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_marks.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response SA RP-trust_marks.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_marks.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Fetch Entity Statement response SA RP-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Fetch Entity Statement response RP-exposed.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Fetch Entity Statement response SA RP-exposed.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Fetch Entity Statement response RP-exposed.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json index db33e32..37a1d16 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json @@ -5,6 +5,52 @@ "filter messages": true }, "tests": [ + { + "test": { + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, { "test": { "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", @@ -598,8 +644,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -615,9 +661,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", "is subset of": [ - "code" + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -630,8 +677,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -647,10 +694,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "A128CBC-HS256\" , \"A256CBC-HS512" ] } ] @@ -663,8 +709,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -680,9 +726,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "RS256\" , \"RS512" ] } ] @@ -695,8 +741,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -712,9 +758,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is subset of": [ - "RS256\" , \"RS512" + "code" ] } ] @@ -889,8 +935,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" @@ -906,9 +952,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.metadata_policy.intermediary.grant_types.subset_of", "is subset of": [ - "code" + "authorization_code", + "refresh_toke" ] } ] @@ -921,8 +968,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -938,10 +985,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is subset of": [ - "authorization_code", - "refresh_toke" + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -954,8 +1001,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -971,10 +1018,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -987,8 +1034,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1004,10 +1051,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "RS256", + "RS512" ] } ] @@ -1020,8 +1067,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" @@ -1037,10 +1084,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is subset of": [ - "RS256", - "RS512" + "code" ] } ] @@ -1184,29 +1230,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -1216,8 +1254,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -1228,17 +1266,22 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } ] } ] @@ -1246,34 +1289,41 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } ] } ] @@ -1281,13 +1331,15 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1298,14 +1350,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } ] } ] @@ -1318,8 +1375,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1330,52 +1387,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response TA OP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } ] } ] @@ -1388,26 +1412,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } ] } ] @@ -1420,29 +1449,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } ] } ] @@ -1455,26 +1486,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } ] } ] @@ -1487,29 +1523,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } ] } ] @@ -1522,26 +1560,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } ] } ] @@ -1554,29 +1597,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } ] } ] @@ -1589,26 +1634,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } ] } ] @@ -1621,29 +1671,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } ] } ] @@ -1656,8 +1708,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1668,15 +1720,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } ] } ] @@ -1689,27 +1745,31 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } ] } ] @@ -1722,205 +1782,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -1932,8 +1819,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1944,13 +1831,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -1962,8 +1856,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1974,13 +1868,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -1992,8 +1893,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2004,13 +1905,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2022,25 +1930,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -2052,25 +1967,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -2082,25 +2004,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -2112,25 +2041,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -2142,25 +2078,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -2172,25 +2115,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -2202,25 +2152,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] } ] } @@ -2232,25 +2189,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -2262,25 +2226,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2292,25 +2263,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2322,25 +2300,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2352,25 +2337,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -2382,25 +2374,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2412,25 +2411,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2442,25 +2448,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2472,25 +2485,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2502,25 +2522,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -2532,25 +2559,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "check": "$.constraints.max_path_length", + "is present": "true" } ] } @@ -2832,15 +2859,15 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2849,7 +2876,7 @@ "checks": [ { "in": "payload", - "check": "$.constraints.max_path_length", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", "is present": "true" } ] @@ -2862,8 +2889,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -2879,7 +2906,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", "is present": "true" } ] @@ -3042,38 +3069,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response TA OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" @@ -3089,7 +3086,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "check": "$.jwks", "is present": "true" } ] @@ -3102,8 +3099,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -3119,7 +3116,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", "is present": "true" } ] @@ -3132,8 +3129,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -3149,7 +3146,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", "is present": "true" } ] @@ -3161,9 +3158,9 @@ } }, { - "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "test": { + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -3179,7 +3176,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -3192,8 +3189,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -3209,7 +3206,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", "is present": "true" } ] @@ -3222,8 +3219,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -3239,7 +3236,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", "is present": "true" } ] @@ -3252,8 +3249,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -3269,7 +3266,7 @@ "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -3282,8 +3279,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -3299,7 +3296,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", "is present": "true" } ] @@ -3312,8 +3309,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" @@ -3329,7 +3326,7 @@ "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -3402,8 +3399,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3419,7 +3416,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -3432,8 +3429,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3449,7 +3446,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -3462,8 +3459,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -3479,7 +3476,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -3642,8 +3639,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3659,7 +3656,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -3672,8 +3669,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3689,7 +3686,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -3702,8 +3699,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3719,7 +3716,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -3732,8 +3729,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -3749,7 +3746,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -3882,8 +3879,8 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -3891,18 +3888,11 @@ "operations": [ { "message type": "Entity Configuration response TA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is": "X_url_TA" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -3912,19 +3902,19 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Resolve Entity Statement response", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", "is present": "true" } ] @@ -3935,19 +3925,19 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Listing response", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", "is present": "true" } ] @@ -3958,15 +3948,15 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "checks": [ { "in": "body", @@ -3981,19 +3971,19 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", + "message type": "Entity Statement response TA RP", "checks": [ { "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", "is present": "true" } ] @@ -4004,15 +3994,15 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Fetch Entity Statement response TA OP", "checks": [ { "in": "body", @@ -4027,15 +4017,15 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Fetch Entity Statement response TA RP", "checks": [ { "in": "body", @@ -4050,20 +4040,154 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Public Keys History response", + "checks": [ + { + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -4073,20 +4197,32 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -4096,20 +4232,32 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -4119,20 +4267,29 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -4142,26 +4299,30 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4173,8 +4334,8 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -4187,12 +4348,13 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -4204,15 +4366,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -4221,8 +4383,13 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4234,15 +4401,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -4251,8 +4418,10 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -4264,15 +4433,15 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -4281,8 +4450,13 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4294,15 +4468,15 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -4311,8 +4485,10 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -4324,15 +4500,15 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -4341,8 +4517,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4354,8 +4535,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -4371,8 +4552,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -4384,8 +4565,8 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -4401,8 +4582,8 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -4414,8 +4595,8 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -4431,8 +4612,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -4444,8 +4625,8 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -4461,8 +4642,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -4474,25 +4655,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -4504,25 +4685,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -4534,15 +4715,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -4551,8 +4732,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -4564,8 +4745,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -4581,8 +4762,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" } ] } @@ -4594,8 +4775,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" @@ -4611,8 +4792,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -4624,8 +4805,8 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" @@ -4641,8 +4822,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -4654,8 +4835,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" @@ -4671,8 +4852,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } @@ -4684,8 +4865,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -4701,8 +4882,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4714,15 +4895,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4731,8 +4912,8 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4744,15 +4925,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4761,8 +4942,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4774,15 +4955,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4791,8 +4972,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4804,15 +4985,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4821,8 +5002,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -4834,15 +5015,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4851,8 +5032,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4864,15 +5045,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4881,8 +5062,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4894,15 +5075,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4911,8 +5092,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -4924,15 +5105,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4941,8 +5122,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -4954,15 +5135,15 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4971,8 +5152,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4984,8 +5165,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -4996,20 +5177,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -5021,8 +5195,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -5033,20 +5207,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -5058,8 +5225,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -5070,20 +5237,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -5095,8 +5255,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -5107,20 +5267,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -5132,8 +5285,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -5143,21 +5296,14 @@ "message type": "Entity Statement response TA OP", "decode operations": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -5169,32 +5315,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -5206,32 +5345,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } @@ -5243,8 +5375,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -5255,20 +5387,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -5280,32 +5406,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -5317,32 +5437,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does entity configuration TA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_TA" } ] } @@ -5354,20 +5467,47 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", - "type": "passive", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", @@ -5375,9 +5515,10 @@ "decode param": "$.trust_marks[0].trust_mark", "checks": [ { + "use variable": "true", "in": "payload", - "check": "ref", - "is present": "true" + "check": "iss", + "contains": "valid_iss" } ] } @@ -5391,20 +5532,47 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", - "type": "passive", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response TA RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", @@ -5412,9 +5580,10 @@ "decode param": "$.trust_marks[0].trust_mark", "checks": [ { + "use variable": "true", "in": "payload", - "check": "service_documentation", - "is present": "true" + "check": "iss", + "contains": "valid_iss" } ] } @@ -5428,32 +5597,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -5465,32 +5627,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -5502,32 +5657,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -5539,32 +5687,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -5576,32 +5717,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -5613,32 +5747,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -5650,32 +5777,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -5687,32 +5807,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -5724,32 +5837,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_mark_issuers", + "is present": "true" } ] } @@ -5761,32 +5867,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -5798,32 +5897,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -5835,32 +5927,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -5872,32 +5957,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -5909,32 +5987,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -5946,32 +6017,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -5983,32 +6047,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -6020,32 +6077,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -6057,8 +6107,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6069,20 +6119,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -6094,8 +6137,8 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6106,20 +6149,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -6131,8 +6167,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6143,20 +6179,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -6168,32 +6197,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -6205,21 +6227,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -6229,21 +6257,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" + } + ] } ] } @@ -6253,8 +6287,8 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" @@ -6267,7 +6301,13 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -6277,50 +6317,38 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6331,38 +6359,26 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } ] } - ], - "result": [ - "s1" - ] + ], + "result": "correct flow s1" } }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -6370,12 +6386,12 @@ "operations": [ { "message type": "Entity Configuration response TA", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_TA" } ] } @@ -6385,62 +6401,21 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "iss", - "contains": "valid_iss" - } - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -6450,47 +6425,44 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] + "jwt check sig": "X_key_TA" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", @@ -6498,10 +6470,9 @@ "decode param": "$.trust_marks[0].trust_mark", "checks": [ { - "use variable": "true", "in": "payload", - "check": "iss", - "contains": "valid_iss" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -6515,8 +6486,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" @@ -6538,7 +6509,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -6552,8 +6523,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6575,7 +6546,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" } ] } @@ -6589,8 +6560,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6612,7 +6583,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -6626,8 +6597,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -6649,7 +6620,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -6663,8 +6634,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6686,7 +6657,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -6700,8 +6671,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -6723,7 +6694,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -6737,8 +6708,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -6760,7 +6731,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -7041,7 +7012,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -7070,8 +7041,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" @@ -7093,7 +7064,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -7107,8 +7078,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -7130,7 +7101,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -7144,8 +7115,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -7167,7 +7138,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -7181,8 +7152,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -7204,7 +7175,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -7218,8 +7189,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -7241,7 +7212,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -7255,8 +7226,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -7278,7 +7249,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -7292,8 +7263,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -7315,7 +7286,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -7588,8 +7559,41 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" @@ -7600,19 +7604,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.organization_type", + "is in": [ + "public", + "private" ] } ] diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json index 6068191..edce186 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json @@ -5,6 +5,52 @@ "filter messages": true }, "tests": [ + { + "test": { + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, { "test": { "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", @@ -598,8 +644,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -615,9 +661,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", "is subset of": [ - "code" + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -630,8 +677,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -647,10 +694,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "A128CBC-HS256\" , \"A256CBC-HS512" ] } ] @@ -663,8 +709,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -680,9 +726,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "RS256\" , \"RS512" ] } ] @@ -695,8 +741,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -712,9 +758,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is subset of": [ - "RS256\" , \"RS512" + "code" ] } ] @@ -889,8 +935,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" @@ -906,9 +952,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.metadata_policy.intermediary.grant_types.subset_of", "is subset of": [ - "code" + "authorization_code", + "refresh_toke" ] } ] @@ -921,8 +968,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -938,10 +985,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is subset of": [ - "authorization_code", - "refresh_toke" + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -954,8 +1001,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -971,10 +1018,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -987,8 +1034,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1004,10 +1051,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "RS256", + "RS512" ] } ] @@ -1020,8 +1067,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" @@ -1037,10 +1084,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is subset of": [ - "RS256", - "RS512" + "code" ] } ] @@ -1184,29 +1230,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -1216,8 +1254,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -1228,17 +1266,22 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } ] } ] @@ -1246,34 +1289,41 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } ] } ] @@ -1281,13 +1331,15 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1298,14 +1350,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } ] } ] @@ -1318,8 +1375,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1330,21 +1387,23 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] - } + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] + } ] } ], @@ -1353,8 +1412,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1365,17 +1424,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } ] } ] @@ -1388,26 +1449,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } ] } ] @@ -1420,29 +1486,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } ] } ] @@ -1455,26 +1523,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } ] } ] @@ -1487,29 +1560,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } ] } ] @@ -1522,26 +1597,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } ] } ] @@ -1554,29 +1634,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } ] } ] @@ -1589,26 +1671,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } ] } ] @@ -1621,29 +1708,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } ] } ] @@ -1656,8 +1745,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1668,15 +1757,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } ] } ] @@ -1689,27 +1782,31 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } ] } ] @@ -1722,25 +1819,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -1752,25 +1856,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -1782,25 +1893,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -1812,25 +1930,32 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -1842,25 +1967,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -1872,25 +2004,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -1902,25 +2041,32 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -1932,25 +2078,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -1962,25 +2115,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -1992,25 +2152,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] } ] } @@ -2022,25 +2189,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -2052,25 +2226,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2082,25 +2263,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2112,25 +2300,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2142,25 +2337,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -2172,25 +2374,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2202,25 +2411,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2232,25 +2448,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2262,25 +2485,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2292,25 +2522,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -2322,25 +2559,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.constraints.max_path_length", + "is present": "true" } ] } @@ -2352,25 +2589,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -2382,25 +2619,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -2412,25 +2649,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -2442,25 +2679,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -2472,25 +2709,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -2502,25 +2739,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -2532,25 +2769,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -2562,8 +2799,8 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" @@ -2579,7 +2816,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -2592,8 +2829,8 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" @@ -2609,7 +2846,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -2622,15 +2859,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2639,7 +2876,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", "is present": "true" } ] @@ -2652,15 +2889,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2669,7 +2906,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", "is present": "true" } ] @@ -2682,15 +2919,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2699,7 +2936,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", "is present": "true" } ] @@ -2712,15 +2949,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2729,7 +2966,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", "is present": "true" } ] @@ -2742,15 +2979,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2759,7 +2996,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", "is present": "true" } ] @@ -2772,15 +3009,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2789,7 +3026,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", "is present": "true" } ] @@ -2802,15 +3039,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2819,7 +3056,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", "is present": "true" } ] @@ -2832,15 +3069,15 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -2849,7 +3086,7 @@ "checks": [ { "in": "payload", - "check": "$.constraints.max_path_length", + "check": "$.jwks", "is present": "true" } ] @@ -2862,8 +3099,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -2879,7 +3116,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", "is present": "true" } ] @@ -2892,8 +3129,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -2909,7 +3146,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", "is present": "true" } ] @@ -2922,8 +3159,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -2939,7 +3176,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -2952,8 +3189,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -2969,7 +3206,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", "is present": "true" } ] @@ -2982,8 +3219,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -2999,7 +3236,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", "is present": "true" } ] @@ -3012,8 +3249,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -3029,7 +3266,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -3042,8 +3279,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -3059,7 +3296,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", "is present": "true" } ] @@ -3072,8 +3309,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" @@ -3089,7 +3326,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -3102,15 +3339,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -3119,7 +3356,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", "is present": "true" } ] @@ -3132,15 +3369,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -3149,7 +3386,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -3162,15 +3399,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -3179,7 +3416,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -3192,15 +3429,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -3209,7 +3446,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -3222,15 +3459,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -3239,7 +3476,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -3252,15 +3489,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -3269,7 +3506,7 @@ "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -3282,15 +3519,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -3299,7 +3536,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -3312,15 +3549,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -3329,7 +3566,7 @@ "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -3342,8 +3579,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3359,7 +3596,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -3372,15 +3609,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3389,7 +3626,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", "is present": "true" } ] @@ -3402,15 +3639,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3419,7 +3656,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -3432,15 +3669,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3449,7 +3686,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -3462,15 +3699,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3479,7 +3716,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -3492,15 +3729,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3509,7 +3746,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -3522,15 +3759,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3539,7 +3776,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -3552,15 +3789,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3569,7 +3806,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -3582,15 +3819,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -3599,7 +3836,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -3612,8 +3849,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3629,7 +3866,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -3642,27 +3879,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -3672,27 +3902,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -3702,27 +3925,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -3732,27 +3948,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Entity Statement response TA OP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -3762,27 +3971,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -3792,27 +3994,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -3822,27 +4017,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Fetch Entity Statement response TA RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -3852,27 +4040,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Public Keys History response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -3882,15 +4063,15 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -3899,8 +4080,10 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -3912,20 +4095,32 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -3935,20 +4130,32 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -3958,20 +4165,29 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -3981,20 +4197,32 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -4004,8 +4232,8 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -4013,11 +4241,23 @@ "operations": [ { "message type": "Entity Statement response TA OP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -4027,8 +4267,8 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -4036,57 +4276,20 @@ "operations": [ { "message type": "Entity Statement response TA RP", - "checks": [ - { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ - { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -4096,20 +4299,32 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -4119,20 +4334,29 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -4142,26 +4366,30 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4173,26 +4401,27 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -4204,15 +4433,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -4221,8 +4450,13 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4234,15 +4468,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -4251,8 +4485,10 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -4264,15 +4500,15 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -4281,8 +4517,13 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4294,8 +4535,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -4311,8 +4552,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -4324,8 +4565,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -4341,8 +4582,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -4354,8 +4595,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -4371,8 +4612,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -4384,8 +4625,8 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -4401,8 +4642,8 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -4414,8 +4655,8 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -4426,13 +4667,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -4444,8 +4685,8 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", "type": "passive", "sessions": [ "s1" @@ -4456,13 +4697,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" } ] } @@ -4474,15 +4715,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -4491,8 +4732,8 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -4504,8 +4745,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -4521,8 +4762,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" } ] } @@ -4534,8 +4775,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" @@ -4551,8 +4792,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -4564,8 +4805,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" @@ -4581,8 +4822,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -4594,8 +4835,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" @@ -4611,8 +4852,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } @@ -4624,8 +4865,8 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -4641,8 +4882,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4654,8 +4895,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -4671,8 +4912,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4684,8 +4925,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -4701,8 +4942,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4714,15 +4955,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4731,8 +4972,8 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4744,15 +4985,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4761,8 +5002,8 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -4773,16 +5014,16 @@ } }, { - "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "test": { + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4791,8 +5032,8 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4804,15 +5045,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4821,8 +5062,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4834,15 +5075,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4851,8 +5092,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -4864,15 +5105,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4881,8 +5122,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -4894,15 +5135,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4911,8 +5152,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4924,15 +5165,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4941,8 +5182,8 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4954,15 +5195,15 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -4971,8 +5212,8 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -4984,8 +5225,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -4996,20 +5237,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -5021,8 +5255,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -5033,20 +5267,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -5058,8 +5285,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -5070,20 +5297,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -5095,32 +5315,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -5132,32 +5345,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } @@ -5169,8 +5375,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -5181,20 +5387,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -5206,32 +5406,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -5243,32 +5437,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does entity configuration TA contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_url_TA" } ] } @@ -5280,32 +5467,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -5317,32 +5497,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -5354,32 +5527,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -5391,32 +5557,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -5428,32 +5587,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -5465,32 +5617,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -5502,32 +5647,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -5539,32 +5677,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -5576,32 +5707,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_mark_issuers", + "is present": "true" } ] } @@ -5613,32 +5737,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -5650,32 +5767,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -5687,32 +5797,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -5724,32 +5827,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -5761,32 +5857,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -5798,32 +5887,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -5835,32 +5917,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -5872,32 +5947,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -5909,8 +5977,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -5921,20 +5989,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -5946,8 +6007,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -5958,20 +6019,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -5983,8 +6037,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -5995,20 +6049,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -6020,8 +6067,8 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6032,20 +6079,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -6057,8 +6097,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6069,20 +6109,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -6094,8 +6127,8 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -6106,20 +6139,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -6131,8 +6157,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" @@ -6143,20 +6169,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -6168,32 +6187,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -6205,21 +6217,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } @@ -6229,15 +6247,15 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -6261,7 +6279,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -6277,57 +6295,39 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] - } - ] + "jwt check sig": "X_key_TA" } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -6341,11 +6341,8 @@ "checks": [ { "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -6354,39 +6351,13 @@ ] } ], - "result": [ - "s1" - ] - } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response TA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], "result": "correct flow s1" } }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" @@ -6408,7 +6379,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -6422,8 +6393,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6445,7 +6416,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" } ] } @@ -6459,8 +6430,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6482,7 +6453,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -6496,8 +6467,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -6519,7 +6490,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -6533,8 +6504,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -6556,7 +6527,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -6570,8 +6541,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -6593,7 +6564,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -6607,8 +6578,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -6630,7 +6601,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -6911,7 +6882,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -6940,8 +6911,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" @@ -6963,7 +6934,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -6977,8 +6948,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -7000,7 +6971,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -7014,8 +6985,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -7037,7 +7008,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -7051,8 +7022,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -7074,7 +7045,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -7088,8 +7059,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -7111,7 +7082,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -7125,8 +7096,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -7148,7 +7119,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -7162,8 +7133,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -7185,7 +7156,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -7458,8 +7429,41 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" @@ -7470,19 +7474,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.organization_type", + "is in": [ + "public", + "private" ] } ] diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-constraints-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-constraints-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-constraints-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-constraints-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-constraints-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-constraints-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-constraints-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-constraints-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-constraints.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-constraints.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-constraints.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-constraints.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-jwks.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-jwks.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-jwks.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-contacts.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-contacts.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-contacts.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-contacts.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-federation_fetch_endpoint.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-federation_fetch_endpoint.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-federation_fetch_endpoint.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-federation_fetch_endpoint.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-federation_list_endpoint.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-federation_list_endpoint.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-federation_list_endpoint.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-federation_list_endpoint.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-federation_resolve_endpoint.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-federation_resolve_endpoint.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-federation_resolve_endpoint.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-federation_resolve_endpoint.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-federation_trust_mark_status_endpoint.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-federation_trust_mark_status_endpoint.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-federation_trust_mark_status_endpoint.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-federation_trust_mark_status_endpoint.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-homepage_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-homepage_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-homepage_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-homepage_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-logo_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-logo_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-logo_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-logo_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-logo_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-logo_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-logo_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-logo_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-organization_name.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-organization_name.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-organization_name.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-organization_name.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-policy_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-policy_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-policy_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-policy_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-metadata-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-sub-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-sub-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-sub-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-sub-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-trust_marks_issuers-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-trust_mark_issuers-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-trust_marks_issuers-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-trust_mark_issuers-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-trust_marks_issuers.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-trust_marks_issuers.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response TA-trust_marks_issuers.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-trust_marks_issuers.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-constraints.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-constraints.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-constraints.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-constraints.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-exp.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-exp.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-exp.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-iat.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-iat.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-iat.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-id_code-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-id_code-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-id_code-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-id_code-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-iss.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-iss.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-iss.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-jwks.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-jwks.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-jwks.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-acr_values_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-acr_values_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-acr_values_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-acr_values_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-acr_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-acr_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-acr_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-acr_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-authorization_response_iss_parameter_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-authorization_response_iss_parameter_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-authorization_response_iss_parameter_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-authorization_response_iss_parameter_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-authorization_response_iss_parameter_supported.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-authorization_response_iss_parameter_supported.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-claims_parameter_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-claims_parameter_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-claims_parameter_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-claims_parameter_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-claims_parameter_supported.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-claims_parameter_supported.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-client_registration_types_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-client_registration_types_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-client_registration_types_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-client_registration_types_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-client_registration_types_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-client_registration_types_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-client_registration_types_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-client_registration_types_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-client_registration_types_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-client_registration_types_supported.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-client_registration_types_supported.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-client_registration_types_supported.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-code_challenge_methods_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-code_challenge_methods_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-code_challenge_methods_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-code_challenge_methods_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-code_challenge_methods_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-code_challenge_methods_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-code_challenge_methods_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-code_challenge_methods_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-grant_types_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-grant_types_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-grant_types_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-grant_types_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-grant_types_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-grant_types_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-grant_types_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-grant_types_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_alg_values_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-id_token_encryption_alg_values_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_alg_values_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-id_token_encryption_alg_values_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_enc_values_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-id_token_encryption_enc_values_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_enc_values_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-id_token_encryption_enc_values_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_enc_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-id_token_encryption_enc_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_enc_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-id_token_encryption_enc_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-id_token_signing_alg_values_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-id_token_signing_alg_values_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-id_token_signing_alg_values_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-id_token_signing_alg_values_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-id_token_signing_alg_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-id_token_signing_alg_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-id_token_signing_alg_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-id_token_signing_alg_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-incorrect-id_token_encryption_alg_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-incorrect-id_token_encryption_alg_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-incorrect-id_token_encryption_alg_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-incorrect-id_token_encryption_alg_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-incorrect-id_token_signing_alg_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-incorrect-id_token_signing_alg_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-incorrect-id_token_signing_alg_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-incorrect-id_token_signing_alg_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-incorrect-request_authentication_signing_alg_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-incorrect-request_authentication_signing_alg_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-incorrect-request_authentication_signing_alg_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-incorrect-request_authentication_signing_alg_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-incorrect-userinfo_encryption_alg_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-incorrect-userinfo_encryption_alg_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-incorrect-userinfo_encryption_alg_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-incorrect-userinfo_encryption_alg_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-incorrect-userinfo_signing_alg_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-incorrect-userinfo_signing_alg_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-incorrect-userinfo_signing_alg_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-incorrect-userinfo_signing_alg_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-jwks.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-jwks.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-jwks.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_authentication_methods_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_authentication_methods_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_authentication_methods_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_authentication_methods_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_authentication_methods_supported.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_authentication_methods_supported.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_authentication_signing_alg_values_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_authentication_signing_alg_values_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_authentication_signing_alg_values_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_authentication_signing_alg_values_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_authentication_signing_alg_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_authentication_signing_alg_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_authentication_signing_alg_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_authentication_signing_alg_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_object_signing_alg_values_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_object_signing_alg_values_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_object_signing_alg_values_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_object_signing_alg_values_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_object_signing_alg_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_object_signing_alg_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_object_signing_alg_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_object_signing_alg_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_parameter_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_parameter_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_parameter_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_parameter_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_parameter_supported.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-request_parameter_supported.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-response_modes_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-response_modes_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-response_modes_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-response_modes_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-response_modes_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-response_modes_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-response_modes_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-response_modes_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-response_types_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-response_types_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-response_types_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-response_types_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-response_types_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-response_types_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-response_types_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-response_types_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-revocation_endpoint_auth_methods_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-revocation_endpoint_auth_methods_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-revocation_endpoint_auth_methods_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-revocation_endpoint_auth_methods_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-revocation_endpoint_auth_methods_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-revocation_endpoint_auth_methods_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-revocation_endpoint_auth_methods_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-revocation_endpoint_auth_methods_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-scopes_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-scopes_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-scopes_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-scopes_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-scopes_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-scopes_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-scopes_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-scopes_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-subject_types_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-subject_types_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-subject_types_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-subject_types_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-subject_types_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-subject_types_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-subject_types_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-subject_types_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_methods_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_methods_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_methods_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_methods_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_methods_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_methods_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_methods_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_methods_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-not-supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-not-supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-not-supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-not-supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_alg_values_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-userinfo_encryption_alg_values_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_alg_values_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-userinfo_encryption_alg_values_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_alg_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-userinfo_encryption_alg_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_alg_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-userinfo_encryption_alg_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_enc_values_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-userinfo_encryption_enc_values_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_enc_values_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-userinfo_encryption_enc_values_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_enc_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-userinfo_encryption_enc_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_enc_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-userinfo_encryption_enc_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-userinfo_signing_alg_values_supported-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-userinfo_signing_alg_values_supported-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-userinfo_signing_alg_values_supported-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-userinfo_signing_alg_values_supported-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-userinfo_signing_alg_values_supported-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-userinfo_signing_alg_values_supported-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy-userinfo_signing_alg_values_supported-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy-userinfo_signing_alg_values_supported-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-metadata_policy.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-metadata_policy.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-release.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-release.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-release.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-release.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-sub.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-sub.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-sub.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-claims-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-claims-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-claims-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-claims-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-claims.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-claims.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-claims.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-claims.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-email-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-email-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-email-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-email-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-email.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-email.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-email.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-email.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-exp-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-exp-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-exp-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-exp.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-exp.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-exp.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-fiscal_number-or-vat_number.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-fiscal_number-or-vat_number.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-fiscal_number-or-vat_number.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-fiscal_number-or-vat_number.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-iat-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-iat-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-iat-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-iat.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-iat.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-iat.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-id.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-id.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-id.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-id.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-id_code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-id_code.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-id_code.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-id_code.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ipa_code-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-ipa_code-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ipa_code-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-ipa_code-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ipa_code-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-ipa_code-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ipa_code-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-ipa_code-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ipa_code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-ipa_code.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ipa_code.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-ipa_code.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-iss-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-iss-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-iss-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-iss-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-iss.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-iss.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-iss.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-logo_uri-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-logo_uri-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-logo_uri-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-logo_uri-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-logo_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-logo_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-logo_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-logo_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-organization_name-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-organization_name-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-organization_name-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-organization_name-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-organization_name.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-organization_name.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-organization_name.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-organization_name.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-organization_type-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-organization_type-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-organization_type-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-organization_type-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-organization_type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-organization_type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-organization_type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-organization_type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-policy_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-policy_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-policy_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-policy_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-policy_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-policy_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-policy_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-policy_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ref-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-ref-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ref-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-ref-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ref.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-ref.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-ref.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-ref.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-sa_profile-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-sa_profile-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-sa_profile-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-sa_profile-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-service_documentation-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-service_documentation-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-service_documentation-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-service_documentation-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-service_documentation.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-service_documentation.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-service_documentation.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-service_documentation.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-sub-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-sub-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-sub-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-sub-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-sub.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-sub.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-sub.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-tos_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-tos_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-tos_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-tos_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-tos_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-tos_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_mark-tos_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_mark-tos_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_marks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_marks.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA OP-trust_marks.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response OP-trust_marks.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-constraints.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-constraints.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-constraints.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-constraints.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-exp.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-exp.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-exp.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-iat.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-iat.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-iat.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-id_code-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-id_code-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-id_code-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-id_code-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-iss.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-iss.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-iss.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-jwks.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-jwks.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-jwks.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-client_registration_types-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-client_registration_types-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-client_registration_types-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-client_registration_types-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-client_registration_types-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-client_registration_types-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-client_registration_types-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-client_registration_types-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-grant_types-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-grant_types-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-grant_types-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-grant_types-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-grant_types-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-grant_types-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-grant_types-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-grant_types-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_alg-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_alg-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_alg-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_alg-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_enc-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_enc-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_enc-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_enc-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_enc-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_enc-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_enc-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_enc-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-id_token_signed_response_alg-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-id_token_signed_response_alg-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-id_token_signed_response_alg-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-id_token_signed_response_alg-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-id_token_signed_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-id_token_signed_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-id_token_signed_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-id_token_signed_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-incorrect-id_token_encrypted_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-incorrect-id_token_encrypted_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-incorrect-id_token_encrypted_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-incorrect-id_token_encrypted_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-incorrect-id_token_signed_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-incorrect-id_token_signed_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-incorrect-id_token_signed_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-incorrect-id_token_signed_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-incorrect-userinfo_encrypted_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-incorrect-userinfo_encrypted_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-incorrect-userinfo_encrypted_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-incorrect-userinfo_encrypted_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-incorrect-userinfo_signed_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-incorrect-userinfo_signed_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-incorrect-userinfo_signed_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-incorrect-userinfo_signed_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-jwks.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-jwks.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-jwks.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-response_types-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-response_types-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-response_types-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-response_types-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-response_types-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-response_types-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-response_types-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-response_types-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-token_endpoint_auth_method-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-token_endpoint_auth_method-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-token_endpoint_auth_method-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-token_endpoint_auth_method-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-token_endpoint_auth_method-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-token_endpoint_auth_method-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-token_endpoint_auth_method-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-token_endpoint_auth_method-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_alg-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_alg-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_alg-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_alg-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_enc-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_enc-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_enc-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_enc-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_enc-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_enc-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_enc-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_enc-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-userinfo_signed_response_alg-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-userinfo_signed_response_alg-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-userinfo_signed_response_alg-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-userinfo_signed_response_alg-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-userinfo_signed_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-userinfo_signed_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy-userinfo_signed_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy-userinfo_signed_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-metadata_policy.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-metadata_policy.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-release.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-release.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-release.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-release.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-sub.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-sub.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-sub.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-claims-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-claims-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-claims-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-claims-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-claims.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-claims.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-claims.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-claims.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-email-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-email-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-email-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-email-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-email.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-email.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-email.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-email.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-exp-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-exp-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-exp-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-exp.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-exp.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-exp.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-fiscal_number-or-vat_number.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-fiscal_number-or-vat_number.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-fiscal_number-or-vat_number.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-fiscal_number-or-vat_number.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-iat-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-iat-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-iat-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-iat.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-iat.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-iat.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-id.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-id.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-id.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-id.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-id_code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-id_code.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-id_code.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-id_code.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ipa_code-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-ipa_code-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ipa_code-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-ipa_code-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ipa_code-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-ipa_code-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ipa_code-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-ipa_code-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ipa_code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-ipa_code.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ipa_code.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-ipa_code.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-iss-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-iss-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-iss-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-iss-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-iss.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-iss.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-iss.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-logo_uri-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-logo_uri-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-logo_uri-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-logo_uri-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-logo_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-logo_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-logo_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-logo_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-organization_name-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-organization_name-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-organization_name-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-organization_name-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-organization_name.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-organization_name.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-organization_name.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-organization_name.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-organization_type-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-organization_type-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-organization_type-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-organization_type-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-organization_type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-organization_type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-organization_type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-organization_type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-policy_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-policy_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-policy_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-policy_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-policy_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-policy_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-policy_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-policy_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ref-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-ref-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ref-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-ref-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ref.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-ref.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-ref.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-ref.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-sa_profile-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-sa_profile-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-sa_profile-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-sa_profile-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-service_documentation-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-service_documentation-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-service_documentation-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-service_documentation-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-service_documentation.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-service_documentation.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-service_documentation.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-service_documentation.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-sub-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-sub-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-sub-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-sub-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-sub.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-sub.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-sub.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-tos_uri-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-tos_uri-type.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-tos_uri-type.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-tos_uri-type.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-tos_uri.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-tos_uri.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_mark-tos_uri.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_mark-tos_uri.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_marks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_marks.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA RP-trust_marks.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response RP-trust_marks.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-client_registration_types-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-client_registration_types-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-client_registration_types-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-client_registration_types-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-client_registration_types-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-client_registration_types-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-client_registration_types-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-client_registration_types-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-grant_types-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-grant_types-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-grant_types-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-grant_types-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-grant_types-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-grant_types-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-grant_types-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-grant_types-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_alg-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_alg-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_alg-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_alg-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_enc-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_enc-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_enc-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_enc-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_enc-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_enc-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_enc-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_enc-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-id_token_signed_response_alg-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-id_token_signed_response_alg-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-id_token_signed_response_alg-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-id_token_signed_response_alg-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-id_token_signed_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-id_token_signed_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-id_token_signed_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-id_token_signed_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-incorrect-id_token_encrypted_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-incorrect-id_token_encrypted_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-incorrect-id_token_encrypted_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-incorrect-id_token_encrypted_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-incorrect-id_token_signed_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-incorrect-id_token_signed_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-incorrect-id_token_signed_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-incorrect-id_token_signed_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-incorrect-userinfo_encrypted_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-incorrect-userinfo_encrypted_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-incorrect-userinfo_encrypted_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-incorrect-userinfo_encrypted_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-incorrect-userinfo_signed_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-incorrect-userinfo_signed_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-incorrect-userinfo_signed_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-incorrect-userinfo_signed_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-response_types-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-response_types-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-response_types-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-response_types-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-response_types-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-response_types-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-response_types-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-response_types-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-token_endpoint_auth_method-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-token_endpoint_auth_method-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-token_endpoint_auth_method-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-token_endpoint_auth_method-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-token_endpoint_auth_method-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-token_endpoint_auth_method-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-token_endpoint_auth_method-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-token_endpoint_auth_method-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_alg-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_alg-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_alg-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_alg-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_enc-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_enc-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_enc-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_enc-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_enc-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_enc-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_enc-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_enc-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-userinfo_signed_response_alg-key.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-userinfo_signed_response_alg-key.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-userinfo_signed_response_alg-key.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-userinfo_signed_response_alg-key.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-userinfo_signed_response_alg-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-userinfo_signed_response_alg-value.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-metadata_policy-userinfo_signed_response_alg-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-metadata_policy-userinfo_signed_response_alg-value.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-trust_mark-sa_profile.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-trust_mark-sa_profile.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response TA SA-trust_mark-sa_profile.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Statement response SA-trust_mark-sa_profile.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Fetch Entity Statement response TA OP-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Fetch Entity Statement response OP-exposed.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Fetch Entity Statement response TA OP-exposed.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Fetch Entity Statement response OP-exposed.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Fetch Entity Statement response TA RP-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Fetch Entity Statement response RP-exposed.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Fetch Entity Statement response TA RP-exposed.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Fetch Entity Statement response RP-exposed.json diff --git a/testplans/spid-cie-oidc/testplan.csv b/testplans/spid-cie-oidc/testplan.csv index f43054a..e9438de 100644 --- a/testplans/spid-cie-oidc/testplan.csv +++ b/testplans/spid-cie-oidc/testplan.csv @@ -1,43 +1,63 @@ V2.3,UID,Old Input tester,Input to test,Input to Entity Under Test,Output,Pattern name,Type,Message Under test,Test Name,Description,Entity under test,Input for generated MR: message to handle,Input for generated MR: Oracle,Requirement,Requirement Source,Profile,Type MIG,Severity,Reasons for chosen Severity,Reference OAuch,Reference OpenID Connect Conformance Profiles v3.0,Reference spid-cie-oidc-django unit test,Reference Test MIG for CIE Core Web,Reference IPZS Test plan document,Reference spid-oidc-check-op,Note,Has Reference,Checked,Divider,Implementation dependent,Session in spid-oidc-cie-django,"Stato del test [E= Eseguito, N= Non eseguito, ND= Non definito, ToDo= Da Eseguire]",Motivazione,Spid-cie-oidc-django result,"Versione Django Feb,21 2024 - 87467470e7c491e91d0e6bb95ada85ec6f71ca77",Test,Django v2.2 -x,RP-Authentication request-JWT-header-kid-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'kid' parameter in the header and its value corresponds to the one that can be found in the jwks parameter of the RP metadata where use is sig, not Compliant otherwise",/ manual: check parameter,Correct Input,Authentication request,Does the JWT header of the Authentication Request contain the kid parameter correspond to the jwks parameter in RP metadata,"In this test the request parameter of the Authentication Request is taken, and the value of the 'kid' parameter must correspond with jwks parameter of the RP metadata where ""use"" is ""sig"", not Compliant otherwise",RP,,,The JWT Header of the request parameter in the Authentication Request must contain the 'kid' parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Presence of wrong parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] I parametri kid sono diversi -x,RP-Authentication request-code_challenge_method-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the code_challenge_method parameter is present and set to a correct value, not Compliant otherwise",/ manual: wrong parameter,Correct Input,Authentication request,Does the RP's Authentication Request contain a correct 'code_challenge_method' parameter,"The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is present, than it has to be set to one of the value of the code_challenge_methods_supported parameter in the OP's metadata. If it is not present or contains any other value, then the RP is not compliant with the specifications",RP,,,The HTTP Authentication Request must contain the 'code_challenge_method' parameter and it must be set to on of the value of the code_challenge_methods_supported parameter in the OP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Presence of wrong parameter,,,,,,,Create OP test on code_challenge,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-code_challenge,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if code_challenge is present, not Compliant if it is not",HTTP parameter presence,Correct Input,Authentication request,Does the RP's Authentication Request contain the 'code_challenge' parameter,"The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.",RP,,Authentication request | url | code_challenge,The HTTP Authentication Request must contain the 'code_challenge' parameter.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,Correctness in the OP is checked with the code_verifier,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-code_challenge_method,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the code_challenge_method parameter is present, not Compliant otherwise",HTTP parameter presence,Correct Input,Authentication request,Does the RP's Authentication Request contain the 'code_challenge_method' parameter,"The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications",RP,,Authentication request | url | code_challenge_method,The HTTP Authentication Request must contain the 'code_challenge_method' parameter and it must be set to on of the value of the code_challenge_methods_supported parameter in the OP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,Create OP test on code_challenge,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-acr_values,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the acr_values parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'acr_values' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | acr_values,"The JWT payload of the request parameter in the Authentication Request must contain the 'acr_values' parameter and It MUST be a string with the requested 'acr' values, each of them separated by a single space, appearing in order of preference. The supported values 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -o,RP-Authentication request-JWT-acr_values-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the acr_values parameter is present, it is a string with the requested 'acr' values separated by a single space and the values are among 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. Not compliant otherwise",JWT list values,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications",RP,,"Authentication request | url | request | payload | acr_values | [""https://www.spid.gov.it/SpidL1"", ""https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL3"", ""https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3"", ""https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3"", ""https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3""]","The JWT payload of the request parameter in the Authentication Request must contain the 'acr_values' parameter and It MUST be a string with the requested 'acr' values, each of them separated by a single space, appearing in order of preference. The supported values 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-aud,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the aud parameter is present, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'aud' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | aud,The JWT content of the request parameter in the Authentication Request must contain the 'aud' parameter and it must be the OP identifier,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-header-client_id-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT in the request parameter contains the 'client_id' parameter identifying the RP, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP,"In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP",RP,Entity Configuration response RP | body | [^\r\n]* | payload | metadata.openid_relying_party.client_id,Authentication request | url | request | payload | client_id | client_id,The JWT content of the request parameter in the Authentication Request must contain the 'client_id' parameter. It MUST contain an HTTPS URL that uniquely identifies the RP.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,"The parameters client_id and response_type SHOULD be sent both as parameters in the HTTP request, and inside the request object.",FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-exp,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if present and before the current time, not compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'exp' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | exp,The JWT content of the request parameter in the Authentication Request must contain the 'exp' parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-header-alg-not_in_value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT Header of the request parameter contains the alg parameter and its value does not corresponds to one among ['none', 'HS256', 'HS384', 'HS512'], not Compliant otherwise",JWT parameter not in value,Correct Input,Authentication request,Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request,"In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.",RP,,"Authentication request | url | request | header | alg | [""none"", ""HS256"", ""HS384"", ""HS512""]","The JWT Header of the request parameter in the Authentication Request must contain the 'alg' parameter, it must be set to one of the supported values for the OP metadata and must not be 'none' or a symmetric algorithm (MAC).",SPID_CIE_OIDC; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,"If it is not an alg supported by the OP, than it cannot verify the signature and there are 3 cases: 1. It is a algorithm not supported and the OP even trying to use the correct RP's public key cannot decrypt it, or -2. It is a symmetric algorithm and the public key of the RP won't decrypt the signature -3. It is a symmetric algorithm and the public key of the RP is the correct key used to encrypt it -In the first 2 cases the parameter is meaningless because the OP won't be able to decrypt the signature, in the latter we cannot rely on the secrecy of the process. The only interesting case is the third one",FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-header-client_id,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'client_id' parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'client_id' parameter,"In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.",RP,,Authentication request | url | request | payload | client_id,The JWT content of the request parameter in the Authentication Request must contain the 'client_id' parameter. It MUST contain an HTTPS URL that uniquely identifies the RP.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,"The parameters client_id and response_type SHOULD be sent both as parameters in the HTTP request, and inside the request object.",FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-header-kid,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'kid' parameter in the header, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the JWT header of the Authentication Request contain the kid parameter,"In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.",RP,,Authentication request | url | request | header | kid,The JWT Header of the request parameter in the Authentication Request must contain the 'kid' parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-iat,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'iat' parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'iat' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | iat,The JWT content of the request parameter in the Authentication Request must contain the 'iat' parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-jwt-nonce,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'nonce' parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'nonce' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.",RP,,Authentication request | url | request | payload | nonce,The JWT payload of the request parameter in the Authentication Request must contain the 'nonce' parameter and it must be of at least 32 alphanumeric characters length,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-jwt-prompt,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'prompt' parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'prompt' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | prompt,The JWT payload of the request parameter in the Authentication Request must contain the 'prompt' parameter. It can contain the 'consent' or the 'consent login' value,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-jwt-redirect_uri,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the redirect_uri parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter",RP,,Authentication request | url | request | payload | redirect_uri,The JWT payload of the request parameter in the Authentication Request must contain the 'redirect_uri' parameter. It must match one of the URLs given in the RP metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-jwt-response_type,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the response_type parameter is present, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'response_type' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked",RP,,Authentication request | url | request | payload | response_type,The JWT payload of the request parameter in the Authentication Request must contain the 'response_type' parameter and it must contain the value in 'response_types_supported' parameter of the OP metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-jwt-scope,Authentication Request,Authentication request,Trigger Authentication request,Compliant if the scope parameter is present in the JWT payload. Not compliant otherwise,JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request contain the 'scope' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.",RP,,Authentication request | url | request | payload | scope,"The JWT payload of the request parameter in the Authentication Request must contain the 'scope' parameter and the supported values are 'profile' and 'email'. The parameter scope MUST be sent both as a parameter in the HTTP call, and inside the request object. The two values MUST be the same",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,"Not clear in the new specification, check if the offline access can be used this way",FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-state,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'state parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'state' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.",RP,,Authentication request | url | request | payload | state,The JWT payload of the request parameter in the Authentication Request must contain the 'state' parameter and it must be of at least 32 alphanumeric characters length,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-state-type,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the state parameter is present and longer than 32 characters, not Compliant otherwise",JWT parameter type,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications",RP,,"Authentication request | url | request | payload | | {""type"": ""object"", ""properties"": {""state"": {""type"": ""string"", ""pattern"": ""^[\u0020-\u007E]{32,}$""}}, ""required"": [""state""]}",The JWT payload of the request parameter in the Authentication Request must contain the 'state' parameter and it must be of at least 32 alphanumeric characters length,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-jwt-ui_locales,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'ui_locales' parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'ui_locales' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | ui_locales,The JWT content of the request parameter in the Authentication Request must contain the 'ui_locales' parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro ui_locales -x,RP-Authentication request-nonce-type,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the nonce parameter is longer than 32 characters, not Compliant otherwise",JWT parameter type,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.",RP,,"Authentication request | url | request | payload | | {""type"": ""object"", ""properties"": {""nonce"": {""type"": ""string"", ""pattern"": ""^[\u0020-\u007E]{32,}$""}}, ""required"": [""nonce""]}",The JWT payload of the request parameter in the Authentication Request must contain the 'nonce' parameter and it must be of at least 32 alphanumeric characters length,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -o,RP-Authentication request-prompt-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the prompt parameter is present and is set to 'consent' or to 'consent login', not Compliant otherwise",JWT list values,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'prompt' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications",RP,,"Authentication request | url | request | payload | prompt | [""consent"", ""consent login""]",The JWT payload of the request parameter in the Authentication Request must contain the 'prompt' parameter. It can contain the 'consent' or the 'consent login' value,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-redirect_uri-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the redirect_uri parameter value matches one of the URLs given in the RP metadata, not compliant otherwise",JWT Check-Save to JWT,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.",RP,Entity Configuration response RP | body | [^\r\n]* | payload | metadata.openid_relying_party.redirect_uris,Authentication request | url | request | payload | redirect_uri | redirect_uris,The JWT payload of the request parameter in the Authentication Request must contain the 'redirect_uri' parameter. It must match one of the URLs given in the RP metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-response_type-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the response_type parameter is present and equal to the 'response_types_supported' parameter in the OP metadata, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain a correct 'response_type' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata",RP,Entity Configuration response RP | body | [^\r\n]* | payload | metadata.openid_relying_party.response_types[0],Authentication request | url | request | payload | response_type | response_types_supported,The JWT payload of the request parameter in the Authentication Request must contain the 'response_type' parameter and it must contain the value in 'response_types_supported' parameter of the OP metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-scope-value,Authentication Request,Authentication request,Trigger Authentication request,"Compliant if the value of the scope parameter in the JWT payload is set to 'openid'. Optionally to 'openid profile', 'openid email', 'openid offline_access', 'openid offline_access profile' and 'openid offline_access email'. Not compliant otherwise",JWT list values,Correct Input,Authentication request,Does the RP Authentication Request contain a correct value in 'scope' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.",RP,,"Authentication request | url | request | payload | scope | [""openid"", ""openid profile"", ""openid email"", ""openid offline_access"", ""openid offline_access profile"", ""openid offline_access email""]","The JWT payload of the request parameter in the Authentication Request must contain the 'scope' parameter and the supported values are 'profile' and 'email'. The parameter scope MUST be sent both as a parameter in the HTTP call, and inside the request object. The two values MUST be the same",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,"Not clear in the new specification, check if the offline access can be used this way",FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-url-client_id,Authentication Request,Authentication request,Trigger Authentication request,Compliant if the url contains the client_id parameter,HTTP parameter presence,Correct Input,Authentication request,Does the RP insert the client ID in the url of the request,In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked,RP,,Authentication request | url | client_id,"The parameters client_id and response_type SHOULD be sent both as parameters in the HTTP request, and inside the request object.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-url-response_type,Authentication Request,Authentication request,Trigger Authentication request,Compliant if the url contains the response_type parameter,HTTP parameter presence,Correct Input,Authentication request,Does the RP insert the response type in the url of the request,In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked,RP,,Authentication request | url | response_type,"The parameters client_id and response_type SHOULD be sent both as parameters in the HTTP request, and inside the request object.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-iss,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'iss' parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'iss' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.",RP,,Authentication request | url | request | payload | iss,The JWT content of the request parameter in the Authentication Request must contain the 'iss' parameter and it must be the client_id of the RP creating the request,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Authentication request-JWT-iss-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the iss parameter corresponds to the RP's client_id, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications",RP,Entity Configuration response RP | body | [^\r\n]* | payload | metadata.openid_relying_party.client_id,Authentication request | url | request | payload | iss | iss,The JWT content of the request parameter in the Authentication Request must contain the 'iss' parameter and it must be the client_id of the RP creating the request,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,AA-Entity Configuration response-metadata-authorization_endpoint-value,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authorization_endpoint claim contains ""private"", not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA metadata contain correct type authorization_endpoint claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is ""private""",AA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"": ""object"",""properties"": {""authorization_endpoint"": {""type"": ""string"",""const"": ""private""}},""required"": [""authorization_endpoint""]}",The AA Metadata of type 'federation_entity' MUST contain authorization_endpoint,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-logo_uri-type,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA metadata contain correct type logo_uri claim,In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file,AA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://.*\\.svg$""}},""required"":[""logo_uri""]}",The AA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-op_policy_uri,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the op_policy_uri claim is in the AA metadata, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the AA metadata contain op_policy_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked,AA,,Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_provider.op_policy_uri,The AA Metadata of type 'openid_provider' MUST contain op_policy_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-op_policy_uri-type,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the op_policy_uri claim contains an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA metadata contain correct type op_policy_uri claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is ""private""",AA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_provider | {""type"": ""object"",""properties"": {""op_policy_uri"": {""type"": ""string"",""format"": ""uri""}},""required"": [""op_policy_uri""]}",The AA Metadata of type 'openid_provider' MUST contain op_policy_uri as URL,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-resource-type,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the resource claim contains one or more https URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA metadata contain correct type resource claim,In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL,AA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"": ""object"",""properties"": {""resource"": {""oneOf"": [{""type"": ""string"", ""format"": ""uri"", ""pattern"": ""^https://""},{""type"": ""array"",""items"": {""type"": ""string"", ""format"": ""uri"", ""pattern"": ""^https://""},""minItems"": 1}]}},""required"": [""resource""]}",The AA Metadata of type 'federation_entity' MUST contain resource,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-signature,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",AA,,Entity Configuration response | body | [^\r\n]* | X_key_AA,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-sub-value,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does entity configuration AA contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",AA,,Entity Configuration response | body | [^\r\n]* | payload | sub | X_key_AA,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-authorization_endpoint,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authorization_endpoint claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the authorization_endpoint claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.authorization_endpoint,The AA Metadata of type 'oauth_authorization_server' MUST contain authorization_endpoint,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-contacts,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the contacts claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the contacts claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The AA Metadata of type 'federation_entity' MUST contain contacts,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-dpop_signing_alg_values_supported-not_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the dpop_signing_alg_values_supported claim does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The AA Metadata of type 'oauth_authorization_server' MUST contain dpop_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-dpop_signing_alg_values_supported-presence,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the dpop_signing_alg_values_supported claim is present, not compliant if it is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain dpop_signing_alg_values_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.dpop_signing_alg_values_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain dpop_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,H,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-dpop_signing_alg_values_supported-supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the dpop_signing_alg_values_supported claim contains 'one_of': ['RS256', 'RS512'], not compliant if it is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the AA metadata contain correct dpop_signing_alg_values_supported claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']",AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The AA Metadata of type 'oauth_authorization_server' MUST contain dpop_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-federation_resolve_endpoint,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the federation_resolve_endpoint claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the federation_resolve_endpoint claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_resolve_endpoint,The AA Metadata of type 'federation_entity' MUST contain federation_resolve_endpoint,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-federation_trust_mark_status_endpoint,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the federation_trust_mark_status_endpoint claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the federation_trust_mark_status_endpoint claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_trust_mark_status_endpoint,The AA Metadata of type 'federation_entity' MUST contain federation_trust_mark_status_endpoint,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-grant_types_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the grant_types_supported claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the grant_types_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.grant_types_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain grant_types_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-homepage_uri,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the homepage_uri claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the homepage_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.homepage_uri,The AA Metadata of type 'federation_entity' MUST contain homepage_uri,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.28,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-issuer,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the issuer claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the issuer claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.issuer,The AA Metadata of type 'oauth_authorization_server' MUST contain issuer,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-issuer-type,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the issuer claim in the metadata claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA metadata contain a correct type of issuer claim,In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL,AA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.oauth_authorization_server | {""type"":""object"", ""properties"":{""issuer"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""issuer""]})",The AA Metadata of type 'oauth_authorization_server' MUST contain issuer,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-jwks,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the jwks claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the jwks claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.jwks,The AA Metadata of type 'oauth_authorization_server' MUST contain jwks,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-logo_uri,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the logo_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The AA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-logo_uri-value,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim in the metadata claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA metadata contain a correct logo_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL,AA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""logo_uri""]})",The AA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-op_policy_uri,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the op_policy_uri claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the op_policy_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.op_policy_uri,The AA Metadata of type 'oauth_authorization_server' MUST contain op_policy_uri,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-op_tos_uri,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the op_tos_uri claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the op_tos_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.op_tos_uri,The AA Metadata of type 'oauth_authorization_server' MUST contain op_tos_uri,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-organization_name,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the organization_name claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the organization_name claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The AA Metadata of type 'federation_entity' MUST contain organization_name,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-policy_uri,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the policy_uri claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the policy_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The AA Metadata of type 'federation_entity' MUST contain policy_uri,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-resource,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the resource claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the resource claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_resource.resource,The AA Metadata of type 'oauth_resource' MUST contain resource,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-response_types_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the response_types_supported claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the response_types_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.response_types_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain response_types_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-scopes_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the scopes_supported claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the scopes_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.scopes_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain scopes_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-token_endpoint,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the token_endpoint claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint,The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-token_endpoint_auth_methods_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_methods_supported claim is present, not compliant otherwise.",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the token_endpoint_auth_methods_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_methods_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_methods_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-token_endpoint_auth_methods_supported-supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_methods_supported claim is present and contains the value 'one_of': ['private_key_jwt'], not compliant otherwise.",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the AA metadata contain the token_endpoint_auth_methods_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt'],AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of | [""private_key_jwt""]",The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_methods_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-not_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is 'one_of': ['RS256', 'RS512'], not compliant if it is empty or is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].",AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",AA,,"Entity Configuration response AA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-trust_marks,AA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the AA's entity configuration contain the trust_marks parameter,"To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.",AA,,Entity Configuration response | body | [^\r\n]* | payload | trust_marks,Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,AA-Entity Configuration response-trust_marks-type,AA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter present in the payload is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA's entity configuration contain a correct trust_marks parameter,"To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array",AA,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_marks"": {""type"": ""object"", ""additionalProperties"": {""type"": ""array""}}}, ""required"": [""trust_marks""]}",Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +o,ALL-Entity Configuration response-correct-content-type,,Entity Configuration response,Entity Configuration request,"Compliant if the Content-Type of the response is application/entity-statement+jwt, not compliant otherwise",HTTP parameter value_1,Correct Input,Entity Configuration response,Does the entity return a correct Content-Type in the EC response,In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt,ALL,,Entity Configuration response | head | Content-Type | application/entity-statement+jwt,,SPID_CIE_OIDC#Entity-Configuration-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,,,,yes,"[""s1""]",E,,P,P,passed, +o,ALL-Entity Configuration response-correct-http-code,,Entity Configuration response,Entity Configuration request,"Compliant if the response is an HTTP 200 OK, not compliant otherwise",HTTP Status,Correct Input,Entity Configuration response,Does the entity return a correct HTTP code in the EC response,In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response,ALL,,Entity Configuration response | head | 200,,SPID_CIE_OIDC#Entity-Configuration-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html,OIDC Federation,Passive,L,Wrong handling of status code,,,,,,,,,,,yes,"[""s1""]",E,,P,P,passed, +x,ALL-Entity Configuration response-exp,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the exp parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does entity configuration contain the exp parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked",ALL,,Entity Configuration response | body | [^\r\n]* | payload | exp,The exp parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,ALL-Entity Configuration response-exp-type,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the exp parameter is timestamp, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does entity configuration contain a correct exp parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked",ALL,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""exp"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""exp""]}",The exp parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,ALL-Entity Configuration response-exposed,/.well-known/openid-federation endpoint response,Entity Configuration Response,Trigger Entity Configuration response,"Compliant if the response is an HTTP 200 OK response, not compliant otherwise",HTTP Status,Correct Input,Entity Configuration response,Does the Entity expose the /.well-known/openid-federation endpoint,"In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.",ALL,,Entity Configuration response | head | 200,All the Entities MUST contain the /.well-known/openid-federation endpoint. It gives the Entity Configuration,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Wrong handling of status code,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,ALL-Entity Configuration response-iat,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the iat parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does entity configuration contain the iat parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked",ALL,,Entity Configuration response | body | [^\r\n]* | payload | iat,The iat parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,ALL-Entity Configuration response-iat-type,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the iat parameter is timestamp, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does entity configuration contain a correct iat parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked",ALL,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""iat"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""iat""]}",The iat parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,ALL-Entity Configuration response-iss,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the iss parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does entity configuration contain the iss parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked",ALL,,Entity Configuration response | body | [^\r\n]* | payload | iss,The iss parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,ALL-Entity Configuration response-issue,Entity Configuration Response,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the response is the Entity Configuration of the entity, not compliant otherwise",HTTP parameter type,Correct Input,Entity Configuration response,Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint,"The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)",ALL,,Entity Configuration response | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"An Entity Configuration (EC) is a Federation Metadata in Jose format, signed by its issuing subject and regarding itself, published at the web endpoint .well-known/openid-federation.",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,L,Type mismatch,,,,,,"1.1.1, 1.1.2",,TRUE,,,yes,"[""s1""]",E,,P,P,passed, +x,ALL-Entity Configuration response-jwks,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does entity configuration contain the jwks parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked",ALL,,Entity Configuration response | body | [^\r\n]* | payload | jwks,The jwks parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,ALL-Entity Configuration response-metadata,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the metadata parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does entity configuration contain the metadata parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked",ALL,,Entity Configuration response | body | [^\r\n]* | payload | metadata,The metadata parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,ALL-Entity Configuration response-metadata-type,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if 'metadata' parameter is a JSON Object, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain a JSON Object,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.",ALL,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""metadata"": {""type"": ""object""}}, ""required"": [""metadata""]}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,ALL-Entity Configuration response-sub,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does entity configuration contain the sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked",ALL,,Entity Configuration response | body | [^\r\n]* | payload | sub,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Token response-id_token-payload-nbf-value,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the nbf claim set to the timestamp equal to the 'iat' parameter, not Compliant otherwise",/ not to do,Correct Input,Token response,Does the issued JWT ID Token contain the 'nbf' parameter in the Payload set to 'iat' value,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'nbf' parameter in the Payload must be a timestamp equal to the 'iat' parameter",OP,,,The JWT ID Token Payload requires the nbf parameter and it has to be equal to iat,External: solo SPID | SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,,,,,,,,,,FALSE,x,,,,,,,,, +x,ALL-Resolve Entity Statement endpoint response-exposed,Resolve Entity Statement endpoint response,Resolve Entity Statement endpoint response,Trigger Resolve Entity Statement endpoint response,"Compliant if the Response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Resolve Entity Statement endpoint response,Does the Entity expose the resolve entity statement endpoint,"In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.",ALL,,"Resolve Entity Statement response | body | [\s*""[^""]*""(?:,\s*""[^""]*"")*\s*\]$","All the Entities MUST contain the resolve entity statement endpoint. It gives the final Metadata, the Trust Chain and the Trust Marks regarding another subject.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Resolve Entity Statement response +x,OP-Authentication response-code-type,Client redirection,Authentication response,Trigger Authentication response,"Compliant if the OP redirects the client to the redirect_uri and adds the code parameter in the query parameters as a UUID, not compliant otherwise",HTTP parameter type,Correct Input,Authentication response,Does the OP contain the correct type of code parameter on redirect in a successful authentication,"In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.",OP,,Authentication response | head | (?<=code=)[a-zA-Z0-9]+(?=&),If the authentication is successful the OpenID Provider (OP) redirects the user by adding code parameter required as query parameters to the redirect_uri,SPID_CIE_OIDC#Authorization-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +o,OP-Authentication response-consent-page,Authentication response,Authentication response,Authentication request,"Compliant if the OP shows the consent page, not compiant otherwise",/ manual: check flow,Correct Input,Authentication response,Does the OP show the consent view,"In this test an authentication request is accomplished and, when the correct login credentials are inserted, the presence of the consent view shown to the user is checked. If it is not the case, the OP is not compliant",OP,,,"If the prompt parameter is set to consent login, the OP forces an authentication request to the user. Then it asks permission to transfer the claims. If the prompt parameter is set to consent, if a Single Sign On session is not yet active, the OP makes an Authentication Request to the user. Then it asks permission to transfer the claims.",SPID_CIE_OIDC#Authentication-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Passive,M,Incorrect handling,,,,,,,,,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-error,Authentication Error response,Authentication response,Trigger Authentication response,"Compliant if the Authentication Response contains the error parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Authentication response,Does the Authentication error response contain the error parameter,The Authentication error response is analyzed and the presence of the error parameter is checked,OP,,,"In case of errors, the response must contain the error and error_description parameters",SPID_CIE_OIDC#Authentication-Error-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#gestione-degli-errori,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-error_description,Autentication Error response,Authentication response,Trigger Authentication response,"Compliant if the Authentication Response has the error_description parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Authentication response,Does the Authentication error response contain the error_description parameter,The Authentication error response is analyzed and the presence of the error_description is checked,OP,,,"In case of errors, the response must contain the error and error_description parameters",SPID_CIE_OIDC#Authentication-Error-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#gestione-degli-errori,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Authentication response-code-type,Client redirection,Authentication response,Trigger Authentication response,"Compliant if the OP redirects the client to the redirect_uri and adds the code parameter in the query parameters as a UUID, not compliant otherwise",HTTP parameter type,Correct Input,Authentication response,Does the OP contain the correct type of code parameter on redirect in a successful authentication,"In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.",OP,,Authentication response | head | (?<=code=)[a-zA-Z0-9]+(?=&),If the authentication is successful the OpenID Provider (OP) redirects the user by adding code parameter required as query parameters to the redirect_uri,SPID_CIE_OIDC#Authorization-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Authentication response-error-value,Authentication Error response,Authentication response,Trigger Authentication response,"Compliant if the Authentication Response has the error parameter and it is set to a value among 'invalid_request', 'unauthorized_client', 'access_denied', 'invalid_scope', 'server_error', 'temporarily_unavailable', 'unsupported_response_type', 'login_required', 'consent_required', 'request_uri_not_supported', 'registration_not_supported', or 'invalid_request_object'. Not Compliant otherwise",/ manual: wrong parameter,Correct Input,Authentication response,Does the Authentication error response contain a correct error parameter,"The Authentication error response is analyzed and error parameter in it is checked. It must have a value among 'invalid_request', 'unauthorized_client', 'access_denied', 'invalid_scope', 'server_error', 'temporarily_unavailable', 'unsupported_response_type', 'login_required', 'consent_required', 'request_uri_not_supported', 'registration_not_supported', or 'invalid_request_object'",OP,,"Authentication response | body | error | [""invalid_request"", ""unauthorized_client"", ""access_denied"", ""invalid_scope"", ""server_error"", ""temporarily_unavailable"", ""unsupported_response_type"", ""login_required"", ""consent_required"", ""request_uri_not_supported"", ""registration_not_supported"", ""invalid_request_object""]","In case of errors, the response must contain the error and error_description parameters",SPID_CIE_OIDC#Authentication-Error-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#gestione-degli-errori,OIDC Core,Active,M,Presence of wrong parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Authentication response-get-with-query_string_serialization,Trigger Authentication Response to a Request done with the HTTP GET method and the Query String serialization method,Authentication Response to a Request done with the HTTP GET method and the Query String serialization method,Authentication Request done with the HTTP GET method and the Query String serialization method,"Client redirect to the redirect uri with correct query parameters (scope, code_challenge, code_challenge_method and request) insterted in the URL",/ manual: check flow,Correct Input,Authentication response,Does the OP accept GET requests and the Query String serialization method,"An authentication request is sent with the GET method and the parameters (scope, code_challenge, code_challenge_method and request) are set as query components of the request, using the application/x-www-form-urlencoded format",OP,,Authentication response | head | scope | code_challenge | code_challenge_method | request | request,"For conveying the request, the RP MAY use the methods POST and GET. With the method POST the parameters MUST be sent using the Form Serialization. With the method GET the parameters MUST be sent using the Query String Serialization. For more details see",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Incorrect handling,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-get-wrong-serialization,Authentication Response to a Request done with the HTTP GET method and a wrong serialization method,Authentication Response to a Request done with the HTTP GET method and a wrong serialization method,"Authentication Request done with the HTTP GET method and scope, code_challenge, code_challenge_method and request parameters inserted in the body of the request using the application/x-www-form-urlencoded format","Compliant if the Authentication response is HTTP 302 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Authentication response,Does the OP accept GET requests with a wrong serialization method,"An authentication request is sent with the GET method and the parameters (scope, code_challenge, code_challenge_method and request) are inserted in the body of the request, using the application/x-www-form-urlencoded format",OP,,,"For conveying the request, the RP MAY use the methods POST and GET. With the method GET the parameters MUST be sent using the Query String Serialization",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 -x,OP-Authentication response-post-wrong-serialization,Authentication Response to a Request done with the HTTP POST method and a wrong serialization method,Authentication Response to a Request done with the HTTP POST method and a wrong serialization method,"Authentication Request done with the HTTP POST method and scope, code_challenge, code_challenge_method and request parameters set as query components of the request, using the application/x-www-form-urlencoded format","Compliant if the Authentication response is HTTP 302 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Authentication response,Does the OP accept POST requests with a wrong serialization method,"An authentication request is sent with the POST method and the parameters (scope, code_challenge, code_challenge_method and request) are set as query components of the request, using the application/x-www-form-urlencoded format",OP,,,"For conveying the request, the RP MAY use the methods POST and GET. With the method POST the parameters MUST be sent using the Form Serialization",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 -x,OP-Authentication response-wrong-user-credentials,Authentication response,Authentication response,"Authentication request with prompt set to ""consent login""","Compliant if the Authentication response is an HTTP 302 because access_denied, not compliant otherwise",/ manual: check flow,Wrong Input,Authentication response,Does the OP refuse wrong credentials,"In this test an authentication request with prompt set to 'consent login' is accomplished and, when the user credentials are requested, wrong ones are inserted. The response is then analyzed",OP,,,Lโ€™OP ha negato lโ€™accesso a causa di credenziali non valide o non adeguate al livello SPID richiesto,SPID_CIE_OIDC#Authentication-Endpoint; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#codici-di-errore,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,,,,yes,"[""s_CIE_wrong_credentials""]",E,Problema implementazione,F,F,failed,Ritorna 200 x,OP-Authentication response-JWT-aud-wrong-id,Authentication Response to a request without the OP's identifier in the aud parameter,Authentication Response to a request without the OP's identifier in the aud parameter,Authentication Request without the OP's identifier in the aud parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier,The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed,OP,Authentication request | url | request | payload | iss | https://www.example.com/ | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the aud parameter and it must contain the OP's identifier (issuer parameter in OP's metadata),SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-JWT-missing-client_id,Authentication Response to a request without the client_id parameter,Authentication Response to a request without the client_id parameter,Authentication request without the client_id parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the client_id parameter,"The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed",OP,Authentication request | url | request | payload | client_id | | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the client_id parameter and its value must be an HTTPS URL identifying the RP,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Authentication request, no client id",,,,Check error code in the test (is changed),TRUE,x,,yes,"[""s1""]",E,,P,P,passed, o,OP-Authentication response-JWT-missing-code_challenge,Authentication Response to a request without the code_challenge parameter,Authentication Response to a request without the code_challenge parameter,Authentication Request without the code_challenge parameter in the URL,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the code_challenge parameter,"The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed",OP,Authentication request | url | request | payload | code_challenge | | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the code_challenge parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Does the server require PKCE (IsPkceRequired),,"Authentication request, no code_challenge",,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, @@ -45,6 +65,7 @@ x,OP-Authentication response-JWT-missing-code_challenge_method,Authentication Re x,OP-Authentication response-JWT-missing-nonce,Authentication Response to a request without the nonce parameter,Authentication Response to a request without the nonce parameter,Authentication request without the nonce parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the nonce parameter,"If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.",OP,Authentication request | url | request | payload | nonce | | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the nonce parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Is the nonce parameter required (NonceRequired),,"Auth request, no nonce",,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-jwt-missing-scope,Authentication Response to a request without the scope parameter,Authentication Response to a request without the scope parameter,Authentication Request without the scope parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the scope parameter,An Authentication Request is sent without the scope parameter in JWT and the response is analyzed,OP,Authentication request | url | request | payload | scope | | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the scope parameter and its value must be contained in the scopes_supported parameter of the OP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-JWT-missing-state,Authentication Response to a request without the state parameter,Authentication Response to a request without the state parameter,Authentication request without the state parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the state parameter,"The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.",OP,Authentication request | url | request | payload | state | | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the state parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Auth request, no state",,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Authentication response-JWT-require-pkce,Authentication Response to a Request without the code_challenge and code_challenge_method parameter in the request,Authentication Response to a Request without the code_challenge and code_challenge_method parameter in the request,Authentication Request without the code_challenge and code_challenge_method parameter in the request,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Authentication response,Does the OP require PKCE,"An authentication request with empty code_challenge and code_challenge_method parameter is sent and the response analyzed. If the OP accepts the request, than plain PKCE is accepted and a protection against attacks like CSRF and authorization code injection attacks is missing",OP,,,The JWT payload must contain the code_challenge parameter. The JWT payload must contain the code_challenge_method parameter and its value must be in the code_challenge_methods_supported parameter of the OP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.","Does the server require PKCE (IsPkceRequired), Does the server support plain PKCE (PlainPkce)",,"authentication request, no correct code_challenge_method",,,,,TRUE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-JWT-wrong-acr_values,Authentication Response to a request with wrong acr_values parameter,Authentication Response to a request with wrong acr_values parameter,Authentication Request with wrong acr_values parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata,In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed,OP,Authentication request | url | request | payload | acr_values | example | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the acr_values parameter and its value must be contained in the acr_values_supported parameter of the OP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Auth request, no correct acr_values",,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, o,OP-Authentication response-JWT-wrong-claims,Authentication Response to a request with wrong claims parameter,Authentication Response to a request with wrong claims parameter,Authentication Request with a wrong claims parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with a wrong claims parameter,In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed,OP,Authentication request | url | request | payload | claims | example | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the claims parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Authentication request, no correct claims",,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-JWT-wrong-code_chalenge_mehod,Authentication Response to a request with wrong code_challenge_method parameter,Authentication Response to a request with wrong code_challenge_method parameter,Authentication Request with wrong code_challenge_method parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata,"The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed",OP,Authentication request | url | request | payload | code_challenge_method | example | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the code_challenge_method parameter and its value must be in the code_challenge_methods_supported parameter of the OP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, @@ -55,7 +76,6 @@ openid e exp expired nella login",,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-JWT-wrong-iat,Authentication Response to a request with wrong iat parameter,Authentication Response to a request with wrong iat parameter,Authentication Request with wrong iat parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with a wrong iat parameter,In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.,OP,Authentication request | url | request | payload | iat | 1681723540 | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the iat parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-JWT-wrong-nonce,Authentication Response to a request with a nonce parameter shorter than 32 alphanumeric characters,Authentication Response to a request with a nonce parameter shorter than 32 alphanumeric characters,Authentication Request with a nonce parameter shorter than 32 alphanumeric characters in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters,In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.,OP,Authentication request | url | request | payload | nonce | 19az | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the nonce parameter. It must be a casual string with at least 32 alphanumeric characters.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Auth request, no correct nonce",,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Token response-id_token-payload-nbf-value,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the nbf claim set to the timestamp equal to the 'iat' parameter, not Compliant otherwise",/ not to do,Correct Input,Token response,Does the issued JWT ID Token contain the 'nbf' parameter in the Payload set to 'iat' value,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'nbf' parameter in the Payload must be a timestamp equal to the 'iat' parameter",OP,,,The JWT ID Token Payload requires the nbf parameter and it has to be equal to iat,External: solo SPID | SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,,,,,,,,,,FALSE,x,,,,,,,,, x,OP-Authentication response-JWT-wrong-prompt,Authentication Response to a request with wrong prompt parameter,Authentication Response to a request with wrong prompt parameter,Authentication Request with a wrong prompt parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with a wrong prompt parameter,An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed,OP,Authentication request | url | request | payload | prompt | example | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the prompt parameter and its value must be 'consent' or 'consent login',SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Auth request, no correct prompt",,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-JWT-wrong-response_type,Authentication Response to a request with wrong response_type parameter,Authentication Response to a request with wrong response_type parameter,Authentication Request with wrong response_type parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of unsupported_response_type, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata,"An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.",OP,Authentication request | url | request | payload | response_type | example | X_key_RP,Authentication error response | head | 302 | head | unsupported_response_type,The JWT payload must contain the response_type parameter and its value must be contained in the response_types_supported parameter of the OP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Does the authorization server check the response type (IsResponseTypeChecked),,"Auth request, no correct response_type",,,,,TRUE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 302 invalid_request x,OP-Authentication response-JWT-wrong-scope,Authentication Response to a request with wrong scope parameter,Authentication Response to a request with wrong scope parameter,Authentication Request with wrong scope parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_scope, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata,"The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed",OP,Authentication request | url | request | payload | scope | example | X_key_RP,Authentication error response | head | 302 | head | invalid_scope,The JWT payload must contain the scope parameter and its value must be contained in the scopes_supported parameter of the OP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 302 invalid_request @@ -68,48 +88,35 @@ OIDC e scope valorizzato openid e exp assente nella login",,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-missing-iat,Authentication Response to a request without the iat parameter,Authentication Response to a request without the iat parameter,Authentication Request without the iat parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the iat parameter,An Authentication Request is sent without the iat parameter in JWT and the response is analyzed,OP,Authentication request | url | request | payload | iat | | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the iat parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Is JWT 'issued at' checked (IsIssuedAtChecked),,,,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +o,OP-Token response-pragma-value,Successful Token response,Token response,Trigger Token response,"Compliant if the token response has Pragma set to 'no-cache', not Compliant otherwise",/ external,Correct Input,Token response,Does the token response have Pragma set to 'no-cache',This test verifies the presence of Pragma set to 'no-cache' in the token response.,OP,,,The error Token response must have Pragma set to 'no-cache',External,OIDC Core,Active,,,,,,,,,,TRUE,x,,,,,,,Manca parametro Pragma,, x,OP-Authentication response-missing-iss,Authentication Response to a request without the iss parameter,Authentication Response to a request without the iss parameter,Authentication Request without the iss parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the iss parameter,An Authentication Request is sent without the iss parameter in JWT and the response is analyzed,OP,Authentication request | url | request | payload | iss | | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT content of the request parameter in the Authentication Request must contain the 'iss' parameter and it must be the client_id of the RP creating the request,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Is JWT issuer checked (HasIssuerClaim),,,,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-missing-prompt,Authentication Response to a request without the prompt parameter,Authentication Response to a request without the prompt parameter,Authentication Request without the prompt parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the prompt parameter,An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed,OP,Authentication request | url | request | payload | prompt | | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the prompt parameter and its value must be 'consent' or 'consent login',SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Auth request, no prompt",,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-missing-redirect_uri,Authentication Response to a request without the redirect_uri parameter,Authentication Response to a request without the redirect_uri parameter,Authentication Request without the redirect_uri parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the redirect_uri parameter,An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed,OP,Authentication request | url | request | payload | redirect_uri | | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the redirect_uri parameter and its value must be contained in the redirect_uris parameter of the RP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,Reject request without redirect_uri when multiple registered,"Auth request, no redirect_uri",,,,I heard that sometimes it is not always checked because the address in the RP metadata is checked,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, o,OP-Authentication response-missing-response_type,Authentication Response to a request without the response_type parameter,Authentication Response to a request without the response_type parameter,Authentication Request without the response_type parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the response_type parameter,An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed,OP,Authentication request | url | request | payload | response_type | | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the response_type parameter and its value must be contained in the response_types_supported parameter of the OP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,Reject request without response_type,"Auth request, no response_type",,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Authentication response-missing-signature,Authentication Response to a request with a request parameter being a JWT without signature,Authentication Response to a request with a request parameter being a JWT without signature,Authentication Request with the request parameter in the url being a JWT without signature,"Compliant if the Authentication response is HTTP 302 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the signature of the JWT,"This test aims to verify if the OP checks the presence of the signature in an authentication request's JWT. In particular, since the JWT is composed by three parts (header, payload and signature), an Authentication Request is sent with a JWT without the last part of it, the signature.",OP,Authentication request | url | (?<=request=\\S{90}\\.\\S{1199})\\S* | ,Authentication response | head | 302 | url | invalid_request,"The Authorization request is initiated by the user that selects the OP for the authentication. The RP redirects the user to the Authorization Endpoint of the selected OP, including in the request the parameter request that is a signed JWT containing the Authorization Request.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Is a JWT signature required (IsSignatureRequired),Support request request parameter iwht unsecured request,,T1_m,,,,TRUE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[PRIMA] Ritorna 403 - [ADESSO] Ritorna 302 senza invalid_request x,OP-Authentication response-non-asymmetric-signature_no-sign-after-edit,Authentication Response to a request with a request parameter signed with a symmetric algorithm,Authentication Response to a request with a request parameter signed with a symmetric algorithm,Authentication Request with a request parameter signed with a symmetric algorithm,"Compliant if the Authentication response is an HTTP 302 because of unauthorized_client, not compliant otherwise",nested JWT edit,Wrong Input,Authentication response,Does the OP refuse Authentication Requests signed with a non-asymmetric method,"This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.",OP,Authentication request | url | request | header | alg | none,Authentication error response | head | 302 | head | invalid_request,"The JWT Header of the request parameter in the Authentication Request must contain the 'alg' parameter, it must be set to one of the supported values for the OP metadata and must not be 'none' or a symmetric algorithm (MAC).",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,T1_i,,,Check the error response code in MIG,TRUE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Authentication response-post-form_serialization,Authentication Response to a Request done with the HTTP POST method and the Form serialization method,Authentication Response to a Request done with the HTTP POST method and the Form serialization method,Authentication Request done with the HTTP POST method and the Form serialization method,"Client redirect to the redirect uri with correct query parameters (scope, code_challenge, code_challenge_method and request) inserted in the URL",/ manual: check POST,Correct Input,Authentication response,Does the OP accept POST requests and the Form serialization method,"An authentication request is sent with the POST method and the parameters (scope, code_challenge, code_challenge_method and request) are inserted in the body of the request, using the application/x-www-form-urlencoded format",OP,,Authentication response | head | scope | code_challenge | code_challenge_method | request | request,"For conveying the request, the RP MAY use the methods POST and GET. With the method POST the parameters MUST be sent using the Form Serialization. With the method GET the parameters MUST be sent using the Query String Serialization. For more details see",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,Incorrect handling,,,,,,,,FALSE,x,,no,"[""s1_login""]",E,Problema implementazione,F,F,failed,"The OP accept the POST, but it returns a 403 error when the user prompt its credentials" +x,OP-Authentication response-post-wrong-serialization,Authentication Response to a Request done with the HTTP POST method and a wrong serialization method,Authentication Response to a Request done with the HTTP POST method and a wrong serialization method,"Authentication Request done with the HTTP POST method and scope, code_challenge, code_challenge_method and request parameters set as query components of the request, using the application/x-www-form-urlencoded format","Compliant if the Authentication response is HTTP 302 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Authentication response,Does the OP accept POST requests with a wrong serialization method,"An authentication request is sent with the POST method and the parameters (scope, code_challenge, code_challenge_method and request) are set as query components of the request, using the application/x-www-form-urlencoded format",OP,,,"For conveying the request, the RP MAY use the methods POST and GET. With the method POST the parameters MUST be sent using the Form Serialization",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 +x,OP-Authentication response-prompt-consent_login-new-request,Authentication request with prompt parameter set to consent login,Authentication response to a request with prompt parameter set to consent login,Authentication request with prompt parameter set to consent login,"Compliant if the OP shows a login page to the client, not compliant otherwise",/ manual: check flow,Correct Input,Authentication response,Does the OP correctly handle the prompt parameter set to 'consent login' in the case of a new request,"In the case of the prompt parameter set to 'consent login' in an authentication request, the OP should send an authentication request to the user in any case. In order to verify this behavior, a fresh authentication request is accomplished and the action of the OP verified.",OP,,,In case of a prompt parameter set to consent login in an authentication request: The OP forces an authentication request to the user. Then it asks permission to transfer the claims.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Incorrect handling,,,,,,,JWT Response (correct check-yes) but must build custom control of output (login page),FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Authentication response-prompt-consent_login-SSO,Authentication request with prompt parameter set to consent login,Authentication response to a request with prompt parameter set to consent login and SSO session active,Authentication request with prompt parameter set to consent login and SSO session active,"Compliant if the OP shows a login page to the client, not compliant otherwise",/ manual: check flow,Correct Input,Authentication response,Does the OP correctly handles the prompt parameter set to 'consent login' in the case of SSO,"In the case of the prompt parameter set to 'consent login' in an authentication request, the OP should send an authentication request to the user in any case. In order to verify this behavior, an authentication request while a SSO session is active is accomplished and the action of the OP verified. It should show a login page and ask for the credentials.",OP,,,In case of a prompt parameter set to consent login in an authentication request: The OP forces an authentication request to the user. Then it asks permission to transfer the claims.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,Incorrect handling,,,,,,,,FALSE,x,,no,"[""s1-SSO""]",E,,P,P,passed, +x,OP-Authentication response-prompt-consent-new-request,Authentication request with prompt parameter set to consent,Authentication response to a request with prompt parameter set to consent,Authentication request with prompt parameter set to consent,"Compliant if the OP shows a login page to the client, not compliant otherwise",/ manual: check flow,Correct Input,Authentication response,Does the OP correctly handle the prompt parameter set to 'consent' in the case of a new request,"In the case of the prompt parameter set to 'consent' in an authentication request, the OP should send an authentication request to the user in any case. In order to verify this behavior, an authentication request while a SSO session is active is accomplished and the action of the OP verified. It should show a login page and ask for the credentials.",OP,,,"In case of a prompt parameter set to consent in an authentication request, if a Single Sign On session is not yet active, the OP makes an Authentication Request to the user. Then it asks permission to transfer the claims.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,Incorrect handling,,,,,,,JWT Response (correct check-yes) but must build custom control of output (login page),FALSE,x,,yes,"[""s1-SSO""]",E,,P,P,passed, x,OP-Authentication response-redirect-code,Client redirection,Authentication response,Trigger Authentication response,"Compliant if the OP redirects the client to the redirect_uri and adds the code parameter in the query parameters, not compliant otherwise",HTTP parameter presence_1,Correct Input,Authentication response,Does the OP correctly contain the code parameter on redirect in a successful authentication,"In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter",OP,,Authentication response | head | Location | code,If the authentication is successful the OpenID Provider (OP) redirects the user by adding code parameter required as query parameters to the redirect_uri,SPID_CIE_OIDC#Authorization-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Passive,M,Missing parameter,Is at least one grant type supported (HasSupportedFlows),Can make request with code response_type,,P2_a,"Verifica tecnica della response del Authentication Endpoint",,,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Authentication response-missing-signature,Authentication Response to a request with a request parameter being a JWT without signature,Authentication Response to a request with a request parameter being a JWT without signature,Authentication Request with the request parameter in the url being a JWT without signature,"Compliant if the Authentication response is HTTP 302 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the signature of the JWT,"This test aims to verify if the OP checks the presence of the signature in an authentication request's JWT. In particular, since the JWT is composed by three parts (header, payload and signature), an Authentication Request is sent with a JWT without the last part of it, the signature.",OP,Authentication request | url | (?<=request=\\S{90}\\.\\S{1199})\\S* | ,Authentication response | head | 302 | url | invalid_request,"The Authorization request is initiated by the user that selects the OP for the authentication. The RP redirects the user to the Authorization Endpoint of the selected OP, including in the request the parameter request that is a signed JWT containing the Authorization Request.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Is a JWT signature required (IsSignatureRequired),Support request request parameter iwht unsecured request,,T1_m,,,,TRUE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[PRIMA] Ritorna 403 - [ADESSO] Ritorna 302 senza invalid_request -x,OP-Authentication response-redirect-state,Client redirection,Authentication response,Trigger Authentication response,"Compliant if the OP redirects the client to the redirect_uri and contains the state parameter in the query parameters, not compliant otherwise",HTTP parameter presence_1,Correct Input,Authentication response,Does the OP contain correct state parameter on redirect in a successful authentication,"In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter",OP,,Authentication response | head | Location | state,If the authentication is successful the OpenID Provider (OP) redirects the user by adding state parameter required as query parameters to the redirect_uri,SPID_CIE_OIDC#Authorization-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Passive,M,Missing parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-redirect-iss,Client redirection,Authentication response,Trigger Authentication response,"Compliant if the OP redirects the client to the redirect_uri and adds the iss parameter in the query parameters, not compliant otherwise",HTTP parameter presence_1,Correct Input,Authentication response,Does the OP contain iss parameter on redirect in a successful authentication,"In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter",OP,,Authentication response | head | Location | iss,If the authentication is successful the OpenID Provider (OP) redirects the user by adding iss parameter required as query parameters to the redirect_uri,SPID_CIE_OIDC#Authorization-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Passive,M,Missing parameter,,,,P2_c,"Verifica tecnica della response del Authentication Endpoint",,,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Authentication response-require-trust-marks,OP's Authentication response,Authentication response,Entity Configuration response with trust marks not trusted,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse an RP without trusted Trust Marks,"In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed",OP,Entity Configuration response RP | body | [^\r\n]* | payload | trust_marks | | X_key_RP,Authentication response | head | 302 | head | invalid_request,"If the RP configuration does not expose any Trust Mark that is recognizable by the RP profile, the Provider MUST refuse the authorization with an error message",SPID_CIE_OIDC#Metadata-Retrieval-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#openid-provider,OIDC Federation,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Ritorna 302 without invalid_request - NON INTERROMPE x,OP-Authentication response-redirect-iss-value,Client redirection,Authentication response,Trigger Authentication response,"Compliant if the OP redirects the client to the redirect_uri with the iss parameter set to the correct OP's identifier, not compliant otherwise",/ manual: check parameter,Correct Input,Authentication response,Does the OP contain iss set to the its identifier on redirect in a successful authentication,"In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter set to the OP's identifier",OP,,,If the authentication is successful the OpenID Provider (OP) redirects the user by adding iss parameter required as query parameters to the redirect_uri,SPID_CIE_OIDC#Authorization-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Passive,M,Presence of wrong parameter,,,,P2_c,"Verifica tecnica della response del Authentication Endpoint",,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Authentication response-url-missing-request,Authentication Response to a request without the request parameter,Authentication Response to a request without the request parameter,Authentication Request without the request parameter in the URL,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the request parameter,"The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed",OP,Authentication request | url | request | ,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the request parameter and its value must a JWT,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 -x,OP-Authentication response-URL-missing-scope,Authentication Response to a request without the scope parameter in the URL,Authentication Response to a request without the scope parameter in the URL,Authentication Request without the scope parameter in the URL,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the scope parameter in the URL,An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request),OP,Authentication request | url | scope | ,Authentication error response | head | 302 | head | invalid_request,"The parameter scope MUST be sent both as a parameter in the HTTP request, and inside the request object. The two values MUST be the same.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,Scope openid present in all requests,"Auth request, no scope",T1_f,,,,TRUE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 -x,OP-Authentication response-url-wrong-request,Authentication Response to a request with the request parameter that is not a JWT,Authentication Response to a request with the request parameter that is not a JWT,Authentication Request with a request parameter in the URL that is not a JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with the request parameter that is not a JWT,"The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed",OP,Authentication request | url | request | example,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the request parameter and its value must a JWT,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 500 -o,OP-Authentication response-wrong-iss,Authentication Response to a request with wrong iss parameter,Authentication Response to a request with wrong iss parameter,Authentication Request with a wrong iss parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with a wrong iss parameter,"The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed",OP,Authentication request | url | request | payload | iss | https://www.example.com/ | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT content of the request parameter in the Authentication Request must contain the 'iss' parameter and it must be the client_id of the RP creating the request,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -o,OP-Authentication response-wrong-authority_hints,Authentication response,Authentication response,Entity Configuration response with wrong authority hints,"Compliant if the Authentication response is an HTTP 302 error and because of invalid_client, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP correctly validate the trust chain of an RP authentication request,"When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification",OP,Entity Configuration response RP | body | [^\r\n]* | payload | authority_hints | https://www.wrongsite.com/ | X_key_RP,Authentication response | head | 302 | head | invalid_client,"If the Provider successfully validates at least a Trust Mark for the RP profile contained inside the configuration of the requesting RP, it extracts the superior Entities from the claim authority_hints and starts the Federation Entity Discovery process until the Trust Chain calculation and the achievement of the final Metadata.",SPID_CIE_OIDC#Metadata-Retrieval-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#openid-provider,OIDC Federation,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 302 invalid_request -x,OP-Authentication response-wrong-client_id,Authentication Request's request parameter,Authentication Request's request parameter,Authentication Request with a wrong client_id parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request,"This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.",OP,Authentication request | url | request | payload | client_id | https://www.example.com/ | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT content of the request parameter in the Authentication Request must contain the 'client_id' parameter. It MUST contain an HTTPS URL that uniquely identifies the RP.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,T1_h,,,Not clear what the the client_id in the request must match and if it has to match something,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Authentication response-wrong-redirect-uri,Authentication Request's request parameter,Authentication Request's request parameter,Authentication Request with a wrong redirect_uri parameter in the JWT in the request parameter,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Request with a wrong redirect URI,"Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ",OP,Authentication request | url | request | payload | redirect_uri | https://www.example.com/ | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The redirect_uri parameter in the Authentication Request must match one of the URLs given in the RP Metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.","Does the authorization server automatically redirect the user-agent to the invalid redirection URI (InvalidRedirect), Does the authorization server exactly match the full redirect uri (RedirectUriFullyMatched)","Reject redirect_uri not matching a registered redirect_uri, Reject redirect_uri when query parameter added, Reject redirect_uri when query parameter does not match",,,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Authentication response-wrong-signature,Authentication Response to a request with the request parameter with a wrong signature,Authentication Response to a request with the request parameter with a wrong signature,Authentication Request with the request parameter with a wrong signature in the URL,"Compliant if the Authentication response is an HTTP 302 because of unauthorized_client, not compliant otherwise",Signature JWT Response,Wrong Input,Authentication response,Does the OP refuse wrongly signed Authentication Requests,"This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.",OP,Authentication request | url | request | X_wrong_key,Authentication error response | head | 302 | head | unauthorized_client,"The Authorization request is initiated by the user that selects the OP for the authentication. The RP redirects the user to the Authorization Endpoint of the selected OP, including in the request the parameter request that is a signed JWT containing the Authorization Request.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,Is the JWT signature checked (IsSignatureChecked),,,T1_G,,,,TRUE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 302 invalid_request -o,OP-Authentication response-consent-page,Authentication response,Authentication response,Authentication request,"Compliant if the OP shows the consent page, not compiant otherwise",/ manual: check flow,Correct Input,Authentication response,Does the OP show the consent view,"In this test an authentication request is accomplished and, when the correct login credentials are inserted, the presence of the consent view shown to the user is checked. If it is not the case, the OP is not compliant",OP,,,"If the prompt parameter is set to consent login, the OP forces an authentication request to the user. Then it asks permission to transfer the claims. If the prompt parameter is set to consent, if a Single Sign On session is not yet active, the OP makes an Authentication Request to the user. Then it asks permission to transfer the claims.",SPID_CIE_OIDC#Authentication-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Passive,M,Incorrect handling,,,,,,,,,,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Authentication response-get-with-query_string_serialization,Trigger Authentication Response to a Request done with the HTTP GET method and the Query String serialization method,Authentication Response to a Request done with the HTTP GET method and the Query String serialization method,Authentication Request done with the HTTP GET method and the Query String serialization method,"Client redirect to the redirect uri with correct query parameters (scope, code_challenge, code_challenge_method and request) insterted in the URL",/ manual: check flow,Correct Input,Authentication response,Does the OP accept GET requests and the Query String serialization method,"An authentication request is sent with the GET method and the parameters (scope, code_challenge, code_challenge_method and request) are set as query components of the request, using the application/x-www-form-urlencoded format",OP,,Authentication response | head | scope | code_challenge | code_challenge_method | request | request,"For conveying the request, the RP MAY use the methods POST and GET. With the method POST the parameters MUST be sent using the Form Serialization. With the method GET the parameters MUST be sent using the Query String Serialization. For more details see",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Incorrect handling,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Authentication response-prompt-consent_login-new-request,Authentication request with prompt parameter set to consent login,Authentication response to a request with prompt parameter set to consent login,Authentication request with prompt parameter set to consent login,"Compliant if the OP shows a login page to the client, not compliant otherwise",/ manual: check flow,Correct Input,Authentication response,Does the OP correctly handle the prompt parameter set to 'consent login' in the case of a new request,"In the case of the prompt parameter set to 'consent login' in an authentication request, the OP should send an authentication request to the user in any case. In order to verify this behavior, a fresh authentication request is accomplished and the action of the OP verified.",OP,,,In case of a prompt parameter set to consent login in an authentication request: The OP forces an authentication request to the user. Then it asks permission to transfer the claims.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Incorrect handling,,,,,,,JWT Response (correct check-yes) but must build custom control of output (login page),FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Authentication response-redirect-state,Client redirection,Authentication response,Trigger Authentication response,"Compliant if the OP redirects the client to the redirect_uri and contains the state parameter in the query parameters, not compliant otherwise",HTTP parameter presence_1,Correct Input,Authentication response,Does the OP contain correct state parameter on redirect in a successful authentication,"In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter",OP,,Authentication response | head | Location | state,If the authentication is successful the OpenID Provider (OP) redirects the user by adding state parameter required as query parameters to the redirect_uri,SPID_CIE_OIDC#Authorization-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Passive,M,Missing parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-redirect-state-value,Client redirection,Authentication response,Trigger Authentication response,"Compliant if the OP redirects the client to the redirect_uri and the value of the state parameter in the query parameters corresponds to the state parameter sent in the request, not compliant otherwise",/ manual: wrong value,Correct Input,Authentication response,Does the OP contain correct state parameter on redirect in a successful authentication,"In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter. This parameter must have the same value of the 'state' parameter sent in the payload of the request parameter in the Authentication request",OP,Authentication request | url | request | payload | state,Authentication response | url | state | state,If the authentication is successful the OpenID Provider (OP) redirects the user by adding state parameter required as query parameters to the redirect_uri,SPID_CIE_OIDC#Authorization-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Passive,M,Mismatch of content,Is the state parameter present in the authorization response (StatePresent),OAuth state request value returned in response,,"P2_d, P2_b","Verifica tecnica della response del Authentication Endpoint","2.4.2, 2.4.3",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -o,OP-Token response-pragma-value,Successful Token response,Token response,Trigger Token response,"Compliant if the token response has Pragma set to 'no-cache', not Compliant otherwise",/ external,Correct Input,Token response,Does the token response have Pragma set to 'no-cache',This test verifies the presence of Pragma set to 'no-cache' in the token response.,OP,,,The error Token response must have Pragma set to 'no-cache',External,OIDC Core,Active,,,,,,,,,,TRUE,x,,,,,,,Manca parametro Pragma,, x,OP-Authentication response-redirect-uri,Client redirection,Authentication response,Trigger Authentication response,"Compliant if the OP redirects the client to the redirect_uri, not compliant otherwise",/ manual: check flow,Correct Input,Authentication response,Does the OP correctly redirects the client,"In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri.",OP,Authentication request | url | request | payload | redirect_uri,Authentication response | url | redirect_uri,If the authentication is successful the OpenID Provider (OP) redirects the user to the redirect_uri,SPID_CIE_OIDC#Authorization-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Passive,M,Incorrect handling,Is at least one grant type supported (HasSupportedFlows),Can make request with code response_type,,P2_a,"Verifica tecnica della response del Authentication Endpoint",,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Authentication response-error-value,Authentication Error response,Authentication response,Trigger Authentication response,"Compliant if the Authentication Response has the error parameter and it is set to a value among 'invalid_request', 'unauthorized_client', 'access_denied', 'invalid_scope', 'server_error', 'temporarily_unavailable', 'unsupported_response_type', 'login_required', 'consent_required', 'request_uri_not_supported', 'registration_not_supported', or 'invalid_request_object'. Not Compliant otherwise",/ manual: wrong parameter,Correct Input,Authentication response,Does the Authentication error response contain a correct error parameter,"The Authentication error response is analyzed and error parameter in it is checked. It must have a value among 'invalid_request', 'unauthorized_client', 'access_denied', 'invalid_scope', 'server_error', 'temporarily_unavailable', 'unsupported_response_type', 'login_required', 'consent_required', 'request_uri_not_supported', 'registration_not_supported', or 'invalid_request_object'",OP,,"Authentication response | body | error | [""invalid_request"", ""unauthorized_client"", ""access_denied"", ""invalid_scope"", ""server_error"", ""temporarily_unavailable"", ""unsupported_response_type"", ""login_required"", ""consent_required"", ""request_uri_not_supported"", ""registration_not_supported"", ""invalid_request_object""]","In case of errors, the response must contain the error and error_description parameters",SPID_CIE_OIDC#Authentication-Error-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#gestione-degli-errori,OIDC Core,Active,M,Presence of wrong parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Authentication response-JWT-require-pkce,Authentication Response to a Request without the code_challenge and code_challenge_method parameter in the request,Authentication Response to a Request without the code_challenge and code_challenge_method parameter in the request,Authentication Request without the code_challenge and code_challenge_method parameter in the request,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Authentication response,Does the OP require PKCE,"An authentication request with empty code_challenge and code_challenge_method parameter is sent and the response analyzed. If the OP accepts the request, than plain PKCE is accepted and a protection against attacks like CSRF and authorization code injection attacks is missing",OP,,,The JWT payload must contain the code_challenge parameter. The JWT payload must contain the code_challenge_method parameter and its value must be in the code_challenge_methods_supported parameter of the OP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.","Does the server require PKCE (IsPkceRequired), Does the server support plain PKCE (PlainPkce)",,"authentication request, no correct code_challenge_method",,,,,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Authentication response-post-form_serialization,Authentication Response to a Request done with the HTTP POST method and the Form serialization method,Authentication Response to a Request done with the HTTP POST method and the Form serialization method,Authentication Request done with the HTTP POST method and the Form serialization method,"Client redirect to the redirect uri with correct query parameters (scope, code_challenge, code_challenge_method and request) inserted in the URL",/ manual: check POST,Correct Input,Authentication response,Does the OP accept POST requests and the Form serialization method,"An authentication request is sent with the POST method and the parameters (scope, code_challenge, code_challenge_method and request) are inserted in the body of the request, using the application/x-www-form-urlencoded format",OP,,Authentication response | head | scope | code_challenge | code_challenge_method | request | request,"For conveying the request, the RP MAY use the methods POST and GET. With the method POST the parameters MUST be sent using the Form Serialization. With the method GET the parameters MUST be sent using the Query String Serialization. For more details see",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,Incorrect handling,,,,,,,,FALSE,x,,no,"[""s1_login""]",E,Problema implementazione,F,F,failed,"The OP accept the POST, but it returns a 403 error when the user prompt its credentials" -x,OP-Authentication response-wrong-acr_level-credentials,Authentication response,Authentication response,"Authentication request with prompt set to ""consent login""","Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Authentication response,Does the OP refuse credentials not allowed for that acr level,"In this test an authentication request with prompt sent to 'consent login' is accomplished and, when the user credentials are requested, credentials not authorized for that acr level are inserted. The response is then analyzed",OP,Authentication request | url | request | payload | prompt | consent login | X_key_RP,Authentication response | head | 302 | Authentication response | head | invalid_request,"If the prompt parameter is set to consent login, the OP forces an authentication request to the user. Then it asks permission to transfer the claims.",SPID_CIE_OIDC#Authentication-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,,,,no,"[""s1""]",E,Problema implementazione,N_A,N_A,not_applicable,Non disponibili credenziali che non hanno accesso a un livello diverso -x,RP-Authentication response-Entity_Statement-wrong-jwks,OP's Entity Configuration and TA's Entity Statement for the OP with a public key that differs from the one in the EC of the OP,Authentication response,Entity Statement response regarding the OP and with a wrong jwks parameter and Authentication request,"Compliant if the authentication response does not contain the code parameter, not compliant otherwise",/ manual: check signature,Wrong Input,Authentication response,Does the RP request the OP's Entity Statement to validate the OP's Entity Configuration,"In order to check if the RP verifies the OP's Entity Configuration with the keys sent in the ES, once the RP asks for the Entity Statement, the TA's Entity Statement in response could have a (wrong) public key that is different from the one that can be found in the OP's EC (ES keys should be wrong). After this, an authentication request with that OP is made and, if the response contains the code parameter, the RP is either using the public keys present in the Entity Configuration (not reliable) or not checking the signature at all.",RP,,,"For each EC of the OPs, the RP validates the signature by using the public key obtained in the Entity Statement released by the Trust Anchor.",SPID_CIE_OIDC#Metadata-Retrieval-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#relying-party,OIDC Federation,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"The test fails if a correct flow is accomplished by the RP. It is similar to JWT response (correct check-no) but since we are checking the RP's flow, we do not except an HTTP Error code",FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,OP-Authentication response-prompt-consent_login-SSO,Authentication request with prompt parameter set to consent login,Authentication response to a request with prompt parameter set to consent login and SSO session active,Authentication request with prompt parameter set to consent login and SSO session active,"Compliant if the OP shows a login page to the client, not compliant otherwise",/ manual: check flow,Correct Input,Authentication response,Does the OP correctly handles the prompt parameter set to 'consent login' in the case of SSO,"In the case of the prompt parameter set to 'consent login' in an authentication request, the OP should send an authentication request to the user in any case. In order to verify this behavior, an authentication request while a SSO session is active is accomplished and the action of the OP verified. It should show a login page and ask for the credentials.",OP,,,In case of a prompt parameter set to consent login in an authentication request: The OP forces an authentication request to the user. Then it asks permission to transfer the claims.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,Incorrect handling,,,,,,,,FALSE,x,,no,"[""s1-SSO""]",E,,P,P,passed, -x,OP-Authentication response-prompt-consent-new-request,Authentication request with prompt parameter set to consent,Authentication response to a request with prompt parameter set to consent,Authentication request with prompt parameter set to consent,"Compliant if the OP shows a login page to the client, not compliant otherwise",/ manual: check flow,Correct Input,Authentication response,Does the OP correctly handle the prompt parameter set to 'consent' in the case of a new request,"In the case of the prompt parameter set to 'consent' in an authentication request, the OP should send an authentication request to the user in any case. In order to verify this behavior, an authentication request while a SSO session is active is accomplished and the action of the OP verified. It should show a login page and ask for the credentials.",OP,,,"In case of a prompt parameter set to consent in an authentication request, if a Single Sign On session is not yet active, the OP makes an Authentication Request to the user. Then it asks permission to transfer the claims.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,Incorrect handling,,,,,,,JWT Response (correct check-yes) but must build custom control of output (login page),FALSE,x,,yes,"[""s1-SSO""]",E,,P,P,passed, +x,OP-Authentication response-require-trust-marks,OP's Authentication response,Authentication response,Entity Configuration response with trust marks not trusted,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse an RP without trusted Trust Marks,"In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed",OP,Entity Configuration response RP | body | [^\r\n]* | payload | trust_marks | | X_key_RP,Authentication response | head | 302 | head | invalid_request,"If the RP configuration does not expose any Trust Mark that is recognizable by the RP profile, the Provider MUST refuse the authorization with an error message",SPID_CIE_OIDC#Metadata-Retrieval-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#openid-provider,OIDC Federation,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Ritorna 302 without invalid_request - NON INTERROMPE o,OP-Authentication response-scope-different-URL-JWT,Authentication Response to a request without the scope parameter in the URL,Authentication Response to a request without the scope parameter in the URL,Authentication Request with the scope parameter in the URL that differs from the one in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT,The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged,OP,Authentication request | url | scope | openid,Authentication error response | head | 302 | head | invalid_request,"The parameter scope MUST be sent both as a parameter in the HTTP request, and inside the request object. The two values MUST be the same.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Auth request, no correct scope",T1_e,"Accesso L2 con protocollo OIDC e scope valorizzato opeind e NONESISTE. @@ -117,58 +124,31 @@ Verifica degli attributi dell'User Info, lo scope NONESISTE viene ignorato.",,,TRUE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 -x,AA-Entity Configuration response-metadata-authorization_endpoint,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authorization_endpoint claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the authorization_endpoint claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.authorization_endpoint,The AA Metadata of type 'oauth_authorization_server' MUST contain authorization_endpoint,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-contacts,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the contacts claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the contacts claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The AA Metadata of type 'federation_entity' MUST contain contacts,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-dpop_signing_alg_values_supported-not_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the dpop_signing_alg_values_supported claim does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The AA Metadata of type 'oauth_authorization_server' MUST contain dpop_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-dpop_signing_alg_values_supported-presence,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the dpop_signing_alg_values_supported claim is present, not compliant if it is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain dpop_signing_alg_values_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.dpop_signing_alg_values_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain dpop_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,H,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-dpop_signing_alg_values_supported-supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the dpop_signing_alg_values_supported claim contains 'one_of': ['RS256', 'RS512'], not compliant if it is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the AA metadata contain correct dpop_signing_alg_values_supported claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']",AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The AA Metadata of type 'oauth_authorization_server' MUST contain dpop_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-federation_resolve_endpoint,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the federation_resolve_endpoint claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the federation_resolve_endpoint claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_resolve_endpoint,The AA Metadata of type 'federation_entity' MUST contain federation_resolve_endpoint,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-federation_trust_mark_status_endpoint,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the federation_trust_mark_status_endpoint claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the federation_trust_mark_status_endpoint claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_trust_mark_status_endpoint,The AA Metadata of type 'federation_entity' MUST contain federation_trust_mark_status_endpoint,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-grant_types_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the grant_types_supported claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the grant_types_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.grant_types_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain grant_types_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-homepage_uri,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the homepage_uri claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the homepage_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.homepage_uri,The AA Metadata of type 'federation_entity' MUST contain homepage_uri,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.28,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-issuer,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the issuer claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the issuer claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.issuer,The AA Metadata of type 'oauth_authorization_server' MUST contain issuer,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-issuer-type,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the issuer claim in the metadata claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA metadata contain a correct type of issuer claim,In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL,AA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.oauth_authorization_server | {""type"":""object"", ""properties"":{""issuer"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""issuer""]})",The AA Metadata of type 'oauth_authorization_server' MUST contain issuer,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-jwks,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the jwks claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the jwks claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.jwks,The AA Metadata of type 'oauth_authorization_server' MUST contain jwks,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-logo_uri,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the logo_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The AA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-logo_uri-value,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim in the metadata claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA metadata contain a correct logo_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL,AA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""logo_uri""]})",The AA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-op_policy_uri,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the op_policy_uri claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the op_policy_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.op_policy_uri,The AA Metadata of type 'oauth_authorization_server' MUST contain op_policy_uri,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-op_tos_uri,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the op_tos_uri claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the op_tos_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.op_tos_uri,The AA Metadata of type 'oauth_authorization_server' MUST contain op_tos_uri,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-organization_name,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the organization_name claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the organization_name claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The AA Metadata of type 'federation_entity' MUST contain organization_name,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-policy_uri,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the policy_uri claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the policy_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The AA Metadata of type 'federation_entity' MUST contain policy_uri,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-resource,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the resource claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the resource claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_resource.resource,The AA Metadata of type 'oauth_resource' MUST contain resource,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-response_types_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the response_types_supported claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the response_types_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.response_types_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain response_types_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-scopes_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the scopes_supported claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the scopes_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.scopes_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain scopes_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-token_endpoint,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the token_endpoint claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint,The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-token_endpoint_auth_methods_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_methods_supported claim is present, not compliant otherwise.",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the token_endpoint_auth_methods_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_methods_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_methods_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-token_endpoint_auth_methods_supported-supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_methods_supported claim is present and contains the value 'one_of': ['private_key_jwt'], not compliant otherwise.",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the AA metadata contain the token_endpoint_auth_methods_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt'],AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of | [""private_key_jwt""]",The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_methods_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-not_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is 'one_of': ['RS256', 'RS512'], not compliant if it is empty or is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].",AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-trust_marks,AA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the AA's entity configuration contain the trust_marks parameter,"To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.",AA,,Entity Configuration response | body | [^\r\n]* | payload | trust_marks,Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-trust_marks-type,AA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter present in the payload is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA's entity configuration contain a correct trust_marks parameter,"To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array",AA,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_marks"": {""type"": ""object"", ""additionalProperties"": {""type"": ""array""}}}, ""required"": [""trust_marks""]}",Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -o,ALL-Entity Configuration response-correct-content-type,,Entity Configuration response,Entity Configuration request,"Compliant if the Content-Type of the response is application/entity-statement+jwt, not compliant otherwise",HTTP parameter value_1,Correct Input,Entity Configuration response,Does the entity return a correct Content-Type in the EC response,In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt,ALL,,Entity Configuration response | head | Content-Type | application/entity-statement+jwt,,SPID_CIE_OIDC#Entity-Configuration-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,,,,yes,"[""s1""]",E,,P,P,passed, -o,ALL-Entity Configuration response-correct-http-code,,Entity Configuration response,Entity Configuration request,"Compliant if the response is an HTTP 200 OK, not compliant otherwise",HTTP Status,Correct Input,Entity Configuration response,Does the entity return a correct HTTP code in the EC response,In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response,ALL,,Entity Configuration response | head | 200,,SPID_CIE_OIDC#Entity-Configuration-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html,OIDC Federation,Passive,L,Wrong handling of status code,,,,,,,,,,,yes,"[""s1""]",E,,P,P,passed, -x,ALL-Entity Configuration response-exp,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the exp parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does entity configuration contain the exp parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked",ALL,,Entity Configuration response | body | [^\r\n]* | payload | exp,The exp parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,ALL-Entity Configuration response-exp-type,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the exp parameter is timestamp, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does entity configuration contain a correct exp parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked",ALL,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""exp"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""exp""]}",The exp parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,ALL-Entity Configuration response-exposed,/.well-known/openid-federation endpoint response,Entity Configuration Response,Trigger Entity Configuration response,"Compliant if the response is an HTTP 200 OK response, not compliant otherwise",HTTP Status,Correct Input,Entity Configuration response,Does the Entity expose the /.well-known/openid-federation endpoint,"In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.",ALL,,Entity Configuration response | head | 200,All the Entities MUST contain the /.well-known/openid-federation endpoint. It gives the Entity Configuration,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Wrong handling of status code,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,ALL-Entity Configuration response-iat,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the iat parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does entity configuration contain the iat parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked",ALL,,Entity Configuration response | body | [^\r\n]* | payload | iat,The iat parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,ALL-Entity Configuration response-iat-type,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the iat parameter is timestamp, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does entity configuration contain a correct iat parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked",ALL,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""iat"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""iat""]}",The iat parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,ALL-Entity Configuration response-iss,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the iss parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does entity configuration contain the iss parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked",ALL,,Entity Configuration response | body | [^\r\n]* | payload | iss,The iss parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,ALL-Entity Configuration response-issue,Entity Configuration Response,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the response is the Entity Configuration of the entity, not compliant otherwise",HTTP parameter type,Correct Input,Entity Configuration response,Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint,"The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)",ALL,,Entity Configuration response | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"An Entity Configuration (EC) is a Federation Metadata in Jose format, signed by its issuing subject and regarding itself, published at the web endpoint .well-known/openid-federation.",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,L,Type mismatch,,,,,,"1.1.1, 1.1.2",,TRUE,,,yes,"[""s1""]",E,,P,P,passed, -x,ALL-Entity Configuration response-jwks,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does entity configuration contain the jwks parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked",ALL,,Entity Configuration response | body | [^\r\n]* | payload | jwks,The jwks parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,ALL-Entity Configuration response-metadata,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the metadata parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does entity configuration contain the metadata parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked",ALL,,Entity Configuration response | body | [^\r\n]* | payload | metadata,The metadata parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,ALL-Entity Configuration response-metadata-type,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if 'metadata' parameter is a JSON Object, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain a JSON Object,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.",ALL,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""metadata"": {""type"": ""object""}}, ""required"": [""metadata""]}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,ALL-Entity Configuration response-sub,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does entity configuration contain the sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked",ALL,,Entity Configuration response | body | [^\r\n]* | payload | sub,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",OP,,"Entity Configuration response OP | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Entity Configuration response-trust_marks-signature,Entity Configuration response containing a trust mark with wrong signature,Entity Configuration response,Entity Configuration response containing a trust mark with wrong signature,"Compliant if the OP responds with an HTTP 302 error and because of unauthorized_client, not compliant otherwise",/ manual: check signature,Wrong Input,Entity Configuration response,Does the OP validate the signature of the RP Trust Marks,"In order to verify if the OP validates the trust chain, the signature of the trust marks in the RP's Entity Configuration must be wrong. If the OP validates the request anyway, than it is not checking the Trust Mark signature and it is not compliant with the specifications",OP,,,The OP obtains the Entity Configuration of the RP and validates the signatures of Trust Mark that are recognized inside the Federation,SPID_CIE_OIDC#Metadata-Retrieval-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#openid-provider,OIDC Federation,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,Signature JWT Response (correct check-no) but the JWT is nested,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 -x,OP-Entity Configuration response-metadata-issuer,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the issuer parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the issuer parameter,In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.issuer,"The OP metadata of type 'openid_provider' must contain the parameter 'issuer' and it must contain an HTTPS URL that uniquely identifies the OP, without query of fragment components.",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,config has issuer,,,,"1.3.0, 1.3.1, 1.3.2","The fact of not having fragments or query components is written in the link (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) in the description of the claim. Maybe it could be made more clear. external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Authentication response-url-missing-request,Authentication Response to a request without the request parameter,Authentication Response to a request without the request parameter,Authentication Request without the request parameter in the URL,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the request parameter,"The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed",OP,Authentication request | url | request | ,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the request parameter and its value must a JWT,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 +x,OP-Authentication response-URL-missing-scope,Authentication Response to a request without the scope parameter in the URL,Authentication Response to a request without the scope parameter in the URL,Authentication Request without the scope parameter in the URL,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests without the scope parameter in the URL,An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request),OP,Authentication request | url | scope | ,Authentication error response | head | 302 | head | invalid_request,"The parameter scope MUST be sent both as a parameter in the HTTP request, and inside the request object. The two values MUST be the same.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,Scope openid present in all requests,"Auth request, no scope",T1_f,,,,TRUE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 +x,OP-Authentication response-url-wrong-request,Authentication Response to a request with the request parameter that is not a JWT,Authentication Response to a request with the request parameter that is not a JWT,Authentication Request with a request parameter in the URL that is not a JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with the request parameter that is not a JWT,"The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed",OP,Authentication request | url | request | example,Authentication error response | head | 302 | head | invalid_request,The JWT payload must contain the request parameter and its value must a JWT,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 500 +x,OP-Authentication response-wrong-acr_level-credentials,Authentication response,Authentication response,"Authentication request with prompt set to ""consent login""","Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Authentication response,Does the OP refuse credentials not allowed for that acr level,"In this test an authentication request with prompt sent to 'consent login' is accomplished and, when the user credentials are requested, credentials not authorized for that acr level are inserted. The response is then analyzed",OP,Authentication request | url | request | payload | prompt | consent login | X_key_RP,Authentication response | head | 302 | Authentication response | head | invalid_request,"If the prompt parameter is set to consent login, the OP forces an authentication request to the user. Then it asks permission to transfer the claims.",SPID_CIE_OIDC#Authentication-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#response,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,,,,no,"[""s1""]",E,Problema implementazione,N_A,N_A,not_applicable,Non disponibili credenziali che non hanno accesso a un livello diverso +o,OP-Authentication response-wrong-authority_hints,Authentication response,Authentication response,Entity Configuration response with wrong authority hints,"Compliant if the Authentication response is an HTTP 302 error and because of invalid_client, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP correctly validate the trust chain of an RP authentication request,"When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification",OP,Entity Configuration response RP | body | [^\r\n]* | payload | authority_hints | https://www.wrongsite.com/ | X_key_RP,Authentication response | head | 302 | head | invalid_client,"If the Provider successfully validates at least a Trust Mark for the RP profile contained inside the configuration of the requesting RP, it extracts the superior Entities from the claim authority_hints and starts the Federation Entity Discovery process until the Trust Chain calculation and the achievement of the final Metadata.",SPID_CIE_OIDC#Metadata-Retrieval-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#openid-provider,OIDC Federation,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 302 invalid_request +x,OP-Authentication response-wrong-client_id,Authentication Request's request parameter,Authentication Request's request parameter,Authentication Request with a wrong client_id parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request,"This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.",OP,Authentication request | url | request | payload | client_id | https://www.example.com/ | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT content of the request parameter in the Authentication Request must contain the 'client_id' parameter. It MUST contain an HTTPS URL that uniquely identifies the RP.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,T1_h,,,Not clear what the the client_id in the request must match and if it has to match something,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +o,OP-Authentication response-wrong-iss,Authentication Response to a request with wrong iss parameter,Authentication Response to a request with wrong iss parameter,Authentication Request with a wrong iss parameter in the JWT,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Requests with a wrong iss parameter,"The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed",OP,Authentication request | url | request | payload | iss | https://www.example.com/ | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The JWT content of the request parameter in the Authentication Request must contain the 'iss' parameter and it must be the client_id of the RP creating the request,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Authentication response-wrong-redirect-uri,Authentication Request's request parameter,Authentication Request's request parameter,Authentication Request with a wrong redirect_uri parameter in the JWT in the request parameter,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Request with a wrong redirect URI,"Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ",OP,Authentication request | url | request | payload | redirect_uri | https://www.example.com/ | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The redirect_uri parameter in the Authentication Request must match one of the URLs given in the RP Metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.","Does the authorization server automatically redirect the user-agent to the invalid redirection URI (InvalidRedirect), Does the authorization server exactly match the full redirect uri (RedirectUriFullyMatched)","Reject redirect_uri not matching a registered redirect_uri, Reject redirect_uri when query parameter added, Reject redirect_uri when query parameter does not match",,,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Authentication response-wrong-signature,Authentication Response to a request with the request parameter with a wrong signature,Authentication Response to a request with the request parameter with a wrong signature,Authentication Request with the request parameter with a wrong signature in the URL,"Compliant if the Authentication response is an HTTP 302 because of unauthorized_client, not compliant otherwise",Signature JWT Response,Wrong Input,Authentication response,Does the OP refuse wrongly signed Authentication Requests,"This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.",OP,Authentication request | url | request | X_wrong_key,Authentication error response | head | 302 | head | unauthorized_client,"The Authorization request is initiated by the user that selects the OP for the authentication. The RP redirects the user to the Authorization Endpoint of the selected OP, including in the request the parameter request that is a signed JWT containing the Authorization Request.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,Is the JWT signature checked (IsSignatureChecked),,,T1_G,,,,TRUE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 302 invalid_request +x,OP-Authentication response-wrong-user-credentials,Authentication response,Authentication response,"Authentication request with prompt set to ""consent login""","Compliant if the Authentication response is an HTTP 302 because access_denied, not compliant otherwise",/ manual: check flow,Wrong Input,Authentication response,Does the OP refuse wrong credentials,"In this test an authentication request with prompt set to 'consent login' is accomplished and, when the user credentials are requested, wrong ones are inserted. The response is then analyzed",OP,,,Lโ€™OP ha negato lโ€™accesso a causa di credenziali non valide o non adeguate al livello SPID richiesto,SPID_CIE_OIDC#Authentication-Endpoint; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#codici-di-errore,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,,,,yes,"[""s_CIE_wrong_credentials""]",E,Problema implementazione,F,F,failed,Ritorna 200 +x,OP-Entity Configuration response-signature,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",OP,,Entity Configuration response | body | [^\r\n]* | X_key_ALL,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Entity Configuration response-sub-value,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does entity configuration OP contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",OP,,Entity Configuration response | body | [^\r\n]* | payload | sub | X_url_OP,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-authority_hints,OP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authority_hints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the OP's entity configuration contain the authority_hints parameter,"To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked",OP,,Entity Configuration response | body | [^\r\n]* | payload | authority_hints,Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-authority_hints-type,OP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authority_hints parameter is present and is an array of URLs, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the OP's entity configuration contain a correct authority_hints parameter,"To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array",OP,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""authority_hints"": {""type"": ""array""}}, ""required"": [""authority_hints""]}",Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-jwks,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'jwks' parameter in the OP metadata ('openid_provider' type) is present,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the jwks claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.jwks,The OP metadata of type 'openid_provider' must contain the parameter 'jwks' or the parameter 'signed_jwks_uri',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.8, 1.3.9","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Entity Configuration response-signed_jwks_uri,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'signed_jwks_uri' parameter in the OP metadata ('openid_provider' type) is present,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.signed_jwks_uri,The OP metadata of type 'openid_provider' must contain the parameter 'jwks' or the parameter 'signed_jwks_uri',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-acr_values_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the acr_values_supported ('openid_provider' type) parameter in the OP metadata is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.acr_values_supported,"The OP metadata of type 'openid_provider' must contain the parameter 'acr_values_supported' and it must be set to [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.12, 1.3.13","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-acr_values_supported-value,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the acr_values_supported ('openid_provider' type) parameter in the OP metadata is [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3], not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.acr_values_supported[0] | [""https://www.spid.gov.it/SpidL1"", ""https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL3""]","The OP metadata of type 'openid_provider' must contain the parameter 'acr_values_supported' and it must be set to [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.12, 1.3.13","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-authorization_endpoint,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authorization_endpoint parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the authorization_endpoint parameter,In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.authorization_endpoint,The OP metadata of type 'openid_provider' must contain the parameter 'authorization_endpoint',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,Config has authorization_endpoint,,,,1.3.3,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authorization_response_iss_parameter_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the authorization_response_iss_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.authorization_response_iss_parameter_supported,The OP Metadata of type 'openid_provider' MUST contain authorization_response_iss_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,Missing authorization_response_iss_parameter_supported +x,OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authorization_response_iss_parameter_supported claim has value true, not compliant if it is empty or is missing",JWT parameter values,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.authorization_response_iss_parameter_supported.value | true,The OP Metadata of type 'openid_provider' MUST contain authorization_response_iss_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,Missing authorization_response_iss_parameter_supported +x,OP-Entity Configuration response-metadata-claims_parameter_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the claims_parameter_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the claims_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.claims_parameter_supported,The OP Metadata of type 'openid_provider' MUST contain claims_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-claims_parameter_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the claims_parameter_supported claim has value true, not compliant if it is empty or is missing",JWT parameter values,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of claims_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.claims_parameter_supported.value | true,The OP Metadata of type 'openid_provider' MUST contain claims_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,claim:true instead of claims: [value: true] +x,OP-Entity Configuration response-metadata-claims_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the claims_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the claims_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.claims_supported,The OP Metadata of type 'openid_provider' MUST contain claims_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-client_registration_types_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the client_registration_types_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the client_registration_types_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.client_registration_types_supported,The OP Metadata of type 'openid_provider' MUST contain client_registration_types_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-client_registration_types_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the client_registration_types_supported claim has value true, not compliant if it is empty or is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of client_registration_types_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.,OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.client_registration_types_supported[0] | [""automatic""]",The OP Metadata of type 'openid_provider' MUST contain client_registration_types_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, x,OP-Entity Configuration response-metadata-code_challenge_methods_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'code_challenge_methods_supported' parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.code_challenge_methods_supported,The OP metadata of type 'openid_provider' must contain the parameter 'code_challenge_methods_supported' and it must be set to 'S256',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-code_challenge_methods_supported-supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'code_challenge_methods_supported' parameter in the OP metadata ('openid_provider' type) is 'S256', not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256',OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.code_challenge_methods_supported[0] | [""S256""]",The OP metadata of type 'openid_provider' must contain the parameter 'code_challenge_methods_supported' and it must be set to 'S256',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-contacts,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the contacts claim in the OP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the contacts claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The OP Metadata of type 'federation_entity' MUST contain contacts,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,"Manca parametro federation_entity, ma รจ presente in openid_provider.contacts" @@ -185,34 +165,23 @@ x,OP-Entity Configuration response-metadata-id_token_signing_alg_values_supporte x,OP-Entity Configuration response-metadata-id_token_signing_alg_values_supported-not_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_signing_alg_values_supported' parameter in the OP metadata ('openid_provider' type) does not contain ['none', 'HS256', 'HS384', 'HS512']. Not Compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.id_token_signing_alg_values_supported | [""none"", ""HS256"", ""HS384"", ""HS512""]",The OP metadata of type 'openid_provider' must contain the parameter 'id_token_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,Config has id_token_signing_alg_values_supported,,,,"1.3.16, 1.5.0","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-id_token_signing_alg_values_supported-value,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_signing_alg_values_supported' parameter in the OP metadata ('openid_provider' type) is ['RS256', 'RS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.id_token_signing_alg_values_supported[0] | [""RS256"", ""RS512""]",The OP metadata of type 'openid_provider' must contain the parameter 'id_token_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,Config has id_token_signing_alg_values_supported,,,,"1.3.16, 1.5.0","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-introspection_endpoint,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the introspection_endpoint parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the introspection_endpoint parameter,In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.introspection_endpoint,The OP metadata of type 'openid_provider' must contain the parameter 'introspection_endpoint',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,1.3.6,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Entity Configuration response-metadata-issuer,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the issuer parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the issuer parameter,In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.issuer,"The OP metadata of type 'openid_provider' must contain the parameter 'issuer' and it must contain an HTTPS URL that uniquely identifies the OP, without query of fragment components.",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,config has issuer,,,,"1.3.0, 1.3.1, 1.3.2","The fact of not having fragments or query components is written in the link (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) in the description of the claim. Maybe it could be made more clear. external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-issuer-supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the issuer parameter in the OP metadata ('openid_provider' type) identifies the OP, not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain a correct issuer parameter,In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP,OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.issuer | [""X_url_OP""]","The OP metadata of type 'openid_provider' must contain the parameter 'issuer' and it must contain an HTTPS URL that uniquely identifies the OP, without query of fragment components.",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,config has issuer,,,,"1.3.0, 1.3.1, 1.3.2","The fact of not having fragments or query components is written in the link (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) in the description of the claim. Maybe it could be made more clear. external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-issuer-type,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the issuer parameter in the OP metadata ('openid_provider' type) is an URL with no query or fragment component, not Compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the OP metadata contain correct type issuer parameter,In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component,OP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_provider | {""type"":""object"", ""properties"":{""issuer"":{""type"":""string"", ""format"":""uri""}},""required"":[""issuer""]}","The OP metadata of type 'openid_provider' must contain the parameter 'issuer' and it must contain an HTTPS URL that uniquely identifies the OP, without query of fragment components.",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,L,Type mismatch,,config has issuer,,,,"1.3.0, 1.3.1, 1.3.2","The fact of not having fragments or query components is written in the link (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) in the description of the claim. Maybe it could be made more clear. external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-logo_uri,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claimin the OP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the logo_uri claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The OP Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,"Manca parametro federation_entity, ma รจ presente in openid_provider.logo_uri" x,OP-Entity Configuration response-metadata-logo_uri-type,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri parameter in the OP metadata ('openid_provider' type) is an URL, not Compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the OP metadata contain correct type logo_uri claim,In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL,OP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"": ""^(https?://).*\\.svg$""}},""required"":[""logo_uri""]}",The OP Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed,"[MODIFICATO] Prima F: Manca parametro federation entity, ma si trova in openid_provider.logo_uri" x,OP-Entity Configuration response-metadata-organization_name,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the organization_name claim in the OP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the organization_name claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The OP Metadata of type 'federation_entity' MUST contain organization_name,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,,F,P,passed,"Manca parametro federation_entity, ma รจ presente in openid_provider.organization_name" x,OP-Entity Configuration response-metadata-policy_uri,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the policy_uri claim in the OP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the policy_uri claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The OP Metadata of type 'federation_entity' MUST contain policy_uri,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,Manca parametro federation_entity e policy_uri -x,OP-Entity Configuration response-metadata-request_object_signing_alg_values_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'request_object_signing_alg_values_supported' parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_object_signing_alg_values_supported,The OP metadata of type 'openid_provider' must contain the parameter 'request_object_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Entity Configuration response-metadata-request_object_signing_alg_values_supported-not_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'request_object_signing_alg_values_supported' parameter does not contain ['none', 'HS256', 'HS384', 'HS512'], not Compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_object_signing_alg_values_supported | [""none"", ""HS256"", ""HS384"", ""HS512""]",The OP metadata of type 'openid_provider' must contain the parameter 'request_object_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Entity Configuration response-metadata-request_object_signing_alg_values_supported-supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'request_object_signing_alg_values_supported' parameter is ['RS256', 'RS512'], not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_object_signing_alg_values_supported[0] | [""RS256"", ""RS512""]",The OP metadata of type 'openid_provider' must contain the parameter 'request_object_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'token_endpoint_auth_methods_supported' parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_methods_supported,The OP metadata of type 'openid_provider' must contain the parameter 'token_endpoint_auth_methods_supported',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,,P,passed, -x,OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported-value,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'token_endpoint_auth_methods_supported' parameter in the OP metadata ('openid_provider' type) is ""private_key_jwt"", not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_methods_supported[0] | [""private_key_jwt""]","The OP metadata of type 'openid_provider' must contain the parameter 'token_endpoint_auth_methods_supported' with value ""private_key_jwt""",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,,P,passed, -x,OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported,The OP Metadata of type 'openid_provider' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, -x,OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-not_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim,"In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported | [""none"", ""HS256"", ""HS384"", ""HS512""]",The OP Metadata of type 'openid_provider' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, -x,OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is 'one_of': ['RS256', 'RS512'], not compliant if it is empty or is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim,"In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0] | [""RS256"", ""RS512""]",The OP Metadata of type 'openid_provider' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-request_authentication_methods_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_authentication_methods_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the request_authentication_methods_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_authentication_methods_supported,The OP Metadata of type 'openid_provider' MUST contain request_authentication_methods_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-request_authentication_methods_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_authentication_methods_supported claim has value true, not compliant if it is empty or is missing",JWT parameter type,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of request_authentication_methods_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.,OP,,"Entity Configuration response | body | [^\r\n]* | payload | .metadata.openid_provider.request_authentication_methods_supported | {""type"": ""object"",""additionalProperties"": {""type"": ""array"",""items"": {""type"": ""string"",""const"": ""request_object""}}}",The OP Metadata of type 'openid_provider' MUST contain request_authentication_methods_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, x,OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_authentication_signing_alg_values_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the request_authentication_signing_alg_values_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_authentication_signing_alg_values_supported,The OP Metadata of type 'openid_provider' MUST contain request_authentication_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,request_authentication_signing_alg_values_supported NOT PRESENT x,OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported-not_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_authentication_signing_alg_values_supported claim does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim,"In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_authentication_signing_alg_values_supported[0] | [""none"", ""HS256"", ""HS384"", ""HS512""]",The OP Metadata of type 'openid_provider' MUST contain request_authentication_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,request_authentication_signing_alg_values_supported NOT PRESENT x,OP-Entity Configuration response-metadata-request_authentication_signing_alg_values_supported-supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_authentication_signing_alg_values_supported claim is 'one_of': ['RS256', 'RS512'], not compliant if it is empty or is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim,"In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_authentication_signing_alg_values_supported[0] | [""RS256"", ""RS512""]",The OP Metadata of type 'openid_provider' MUST contain request_authentication_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,request_authentication_signing_alg_values_supported NOT PRESENT -x,OP-Entity Configuration response-metadata-claims_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the claims_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the claims_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.claims_supported,The OP Metadata of type 'openid_provider' MUST contain claims_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, -x,OP-Entity Configuration response-metadata-claims_parameter_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the claims_parameter_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the claims_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.claims_parameter_supported,The OP Metadata of type 'openid_provider' MUST contain claims_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, -x,OP-Entity Configuration response-metadata-claims_parameter_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the claims_parameter_supported claim has value true, not compliant if it is empty or is missing",JWT parameter values,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of claims_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.claims_parameter_supported.value | true,The OP Metadata of type 'openid_provider' MUST contain claims_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,claim:true instead of claims: [value: true] +x,OP-Entity Configuration response-metadata-request_object_signing_alg_values_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'request_object_signing_alg_values_supported' parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_object_signing_alg_values_supported,The OP metadata of type 'openid_provider' must contain the parameter 'request_object_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Entity Configuration response-metadata-request_object_signing_alg_values_supported-not_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'request_object_signing_alg_values_supported' parameter does not contain ['none', 'HS256', 'HS384', 'HS512'], not Compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_object_signing_alg_values_supported | [""none"", ""HS256"", ""HS384"", ""HS512""]",The OP metadata of type 'openid_provider' must contain the parameter 'request_object_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Entity Configuration response-metadata-request_object_signing_alg_values_supported-supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'request_object_signing_alg_values_supported' parameter is ['RS256', 'RS512'], not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_object_signing_alg_values_supported[0] | [""RS256"", ""RS512""]",The OP metadata of type 'openid_provider' must contain the parameter 'request_object_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-request_parameter_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_parameter_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the request_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_parameter_supported,The OP Metadata of type 'openid_provider' MUST contain request_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, x,OP-Entity Configuration response-metadata-request_parameter_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_parameter_supported claim has value true, not compliant if it is empty or is missing",JWT parameter values,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of request_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_parameter_supported.value | true,The OP Metadata of type 'openid_provider' MUST contain request_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,claim:true instead of claims: [value: true] -x,OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authorization_response_iss_parameter_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the authorization_response_iss_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.authorization_response_iss_parameter_supported,The OP Metadata of type 'openid_provider' MUST contain authorization_response_iss_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,Missing authorization_response_iss_parameter_supported -x,OP-Entity Configuration response-metadata-authorization_response_iss_parameter_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authorization_response_iss_parameter_supported claim has value true, not compliant if it is empty or is missing",JWT parameter values,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.authorization_response_iss_parameter_supported.value | true,The OP Metadata of type 'openid_provider' MUST contain authorization_response_iss_parameter_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,Missing authorization_response_iss_parameter_supported -x,OP-Entity Configuration response-metadata-client_registration_types_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the client_registration_types_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the client_registration_types_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.client_registration_types_supported,The OP Metadata of type 'openid_provider' MUST contain client_registration_types_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, -x,OP-Entity Configuration response-metadata-client_registration_types_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the client_registration_types_supported claim has value true, not compliant if it is empty or is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of client_registration_types_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.,OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.client_registration_types_supported[0] | [""automatic""]",The OP Metadata of type 'openid_provider' MUST contain client_registration_types_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, -x,OP-Entity Configuration response-metadata-request_authentication_methods_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_authentication_methods_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the request_authentication_methods_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.request_authentication_methods_supported,The OP Metadata of type 'openid_provider' MUST contain request_authentication_methods_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, -x,OP-Entity Configuration response-metadata-request_authentication_methods_supported-value,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the request_authentication_methods_supported claim has value true, not compliant if it is empty or is missing",JWT parameter type,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of request_authentication_methods_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.,OP,,"Entity Configuration response | body | [^\r\n]* | payload | .metadata.openid_provider.request_authentication_methods_supported | {""type"": ""object"",""additionalProperties"": {""type"": ""array"",""items"": {""type"": ""string"",""const"": ""request_object""}}}",The OP Metadata of type 'openid_provider' MUST contain request_authentication_methods_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, x,OP-Entity Configuration response-metadata-response_modes_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the response_modes_supported parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.response_modes_supported,"The OP metadata of type 'openid_provider' must contain the parameter 'response_modes_supported' and it must be set to [form_post, query]",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-response_modes_supported-supported-value,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the response_modes_supported parameter in the OP metadata ('openid_provider' type) is [form_post, query], not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.response_modes_supported[0] | [""form_post"", ""query""]","The OP metadata of type 'openid_provider' must contain the parameter 'response_modes_supported' and it must be set to [form_post, query]",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-response_types_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the response_types_supported parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the response_types_supported claim,In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.response_types_supported,The OP metadata of type 'openid_provider' must contain the parameter 'response_types_supported' and it must be set to 'code',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,Config has response_types_supported,,,,"1.3.10, 1.3.11","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, @@ -225,6 +194,11 @@ x,OP-Entity Configuration response-metadata-scopes_supported-supported-value,OP x,OP-Entity Configuration response-metadata-subject_types_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the subject_types_supported parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.subject_types_supported,The OP metadata of type 'openid_provider' must contain the parameter 'subject_types_supported' and it must be set to 'pairwise',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,Config has subject_types_supported,,,,"1.3.14, 1.3.15","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-subject_types_supported-value,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the subject_types_supported parameter in the OP metadata ('openid_provider' type) is 'pairwise', not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise',OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.subject_types_supported[0] | [""pairwise""]",The OP metadata of type 'openid_provider' must contain the parameter 'subject_types_supported' and it must be set to 'pairwise',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,Config has subject_types_supported,,,,"1.3.14, 1.3.15","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-token_endpoint,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the token_endpoint parameter,In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint,The OP metadata of type 'openid_provider' must contain the parameter 'token_endpoint',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,Config has token_endpoint,,,,1.3.4,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'token_endpoint_auth_methods_supported' parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_methods_supported,The OP metadata of type 'openid_provider' must contain the parameter 'token_endpoint_auth_methods_supported',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-token_endpoint_auth_methods_supported-value,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'token_endpoint_auth_methods_supported' parameter in the OP metadata ('openid_provider' type) is ""private_key_jwt"", not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_methods_supported[0] | [""private_key_jwt""]","The OP metadata of type 'openid_provider' must contain the parameter 'token_endpoint_auth_methods_supported' with value ""private_key_jwt""",SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.22, 1.5.6","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim,In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported,The OP Metadata of type 'openid_provider' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-not_supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim,"In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported | [""none"", ""HS256"", ""HS384"", ""HS512""]",The OP Metadata of type 'openid_provider' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,OP-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-supported,OP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is 'one_of': ['RS256', 'RS512'], not compliant if it is empty or is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim,"In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0] | [""RS256"", ""RS512""]",The OP Metadata of type 'openid_provider' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, x,OP-Entity Configuration response-metadata-userinfo_encryption_alg_values_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_encryption_alg_values_supported' parameter in the OP metadata ('openid_provider' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.userinfo_encryption_alg_values_supported,The OP metadata of type 'openid_provider' must contain the parameter 'userinfo_encryption_alg_values_supported' and it must contain the key encryption algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.20, 1.5.4","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-userinfo_encryption_alg_values_supported-not_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_encryption_alg_values_supported' parameter in the OP metadata ('openid_provider' type) does not contain the value ['RSA_1_5'], not Compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5'],OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.userinfo_encryption_alg_values_supported | [""RSA_1_5""]",The OP metadata of type 'openid_provider' must contain the parameter 'userinfo_encryption_alg_values_supported' and it must contain the key encryption algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.20, 1.5.4","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-userinfo_encryption_alg_values_supported-supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_encryption_alg_values_supported' parameter in the OP metadata ('openid_provider' type) is ['RSA-OAEP', 'RSA-OAEP-256'], not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.userinfo_encryption_alg_values_supported[0] | [""RSA-OAEP"", ""RSA-OAEP-256""]",The OP metadata of type 'openid_provider' must contain the parameter 'userinfo_encryption_alg_values_supported' and it must contain the key encryption algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.20, 1.5.4","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, @@ -234,424 +208,25 @@ x,OP-Entity Configuration response-metadata-userinfo_endpoint,OP Metadata,Entity x,OP-Entity Configuration response-metadata-userinfo_signing_alg_values_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'userinfo_signing_alg_values_supported' parameter in the OP metadata ('openid_provider' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.userinfo_signing_alg_values_supported,The OP metadata of type 'openid_provider' must contain the parameter 'userinfo_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.19, 1.5.3","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-userinfo_signing_alg_values_supported-not_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_signing_alg_values_supported' parameter in the OP metadata ('openid_provider' type) does not contain ['none', 'HS256', 'HS384', 'HS512']. Not Compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.userinfo_signing_alg_values_supported | [""none"", ""HS256"", ""HS384"", ""HS512""]",The OP metadata of type 'openid_provider' must contain the parameter 'userinfo_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.19, 1.5.3","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-userinfo_signing_alg_values_supported-supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_signing_alg_values_supported' parameter in the OP metadata ('openid_provider' type) is ['RS256', 'RS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.userinfo_signing_alg_values_supported[0] | [""RS256"", ""RS512""]",The OP metadata of type 'openid_provider' must contain the parameter 'userinfo_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.19, 1.5.3","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",OP,,"Entity Configuration response OP | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Entity Configuration response-signed_jwks_uri,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'signed_jwks_uri' parameter in the OP metadata ('openid_provider' type) is present,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.signed_jwks_uri,The OP metadata of type 'openid_provider' must contain the parameter 'jwks' or the parameter 'signed_jwks_uri',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-trust_marks,OP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the OP's entity configuration contain the trust_marks parameter,"To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.",OP,,Entity Configuration response | body | [^\r\n]* | payload | trust_marks,Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro trust_marks +x,OP-Entity Configuration response-trust_marks-signature,Entity Configuration response containing a trust mark with wrong signature,Entity Configuration response,Entity Configuration response containing a trust mark with wrong signature,"Compliant if the OP responds with an HTTP 302 error and because of unauthorized_client, not compliant otherwise",/ manual: check signature,Wrong Input,Entity Configuration response,Does the OP validate the signature of the RP Trust Marks,"In order to verify if the OP validates the trust chain, the signature of the trust marks in the RP's Entity Configuration must be wrong. If the OP validates the request anyway, than it is not checking the Trust Mark signature and it is not compliant with the specifications",OP,,,The OP obtains the Entity Configuration of the RP and validates the signatures of Trust Mark that are recognized inside the Federation,SPID_CIE_OIDC#Metadata-Retrieval-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#openid-provider,OIDC Federation,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,Signature JWT Response (correct check-no) but the JWT is nested,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 x,OP-Entity Configuration response-trust_marks-type,OP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter is present and is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the OP's entity configuration contain a correct trust_marks parameter,"To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array",OP,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_marks"": {""type"": ""object"", ""additionalProperties"": {""type"": ""array""}}}, ""required"": [""trust_marks""]}",Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro trust_marks -x,AA-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",AA,,"Entity Configuration response AA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,RP-Entity Configuration response-Entity_Configuration-wrong-signature,Wrongly signed OP's Entity Configuration,Entity Configuration response,Entity Configuration response containing a wrongly-signed Entity Configuration,"Compliant if the Authentication response does not contain the code parameter, not compliant otherwise",/ manual: check signature,Wrong Input,Entity Configuration response,Does the RP check the signature in the OP Entity Configuration,"In order to check if the RP correctly verifies the signature of an OP's Entity Configuration and does not trust arbitrary OP, the latter sends as the Entity Configuration response a wrongly signed Entity Configuration and waits for the RP. After this an authentication request is sent and, if the response contains the code, the RP is not checking the authenticity of the EC",RP,,,"For each EC of the OPs, the RP validates the signature by using the public key obtained in the Entity Statement released by the Trust Anchor.",SPID_CIE_OIDC#Metadata-Retrieval-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#relying-party,OIDC Federation,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] code รจ presente -x,RP-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",RP,,"Entity Configuration response RP | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-contacts,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'contacts' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the contacts parameter,In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The TA and SA metadata must contain the parameter contacts,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-client_id,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'client_id' parameter in the RP metadata ('openid_relying_party' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'client_id' parameter,In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.client_id,The RP metadata of type 'openid_relying_party' must contain the parameter client_id and it must contain an HTTPS URL that uniquely identifies the RP,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-client_id-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'client_id' parameter in the RP metadata is an HTTPS URL, not Compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain correct type of 'client_id' parameter,In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_relying_party | {""type"":""object"", ""properties"":{""client_id"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""client_id""]}",The RP metadata of type 'openid_relying_party' must contain the parameter client_id and it must contain an HTTPS URL that uniquely identifies the RP,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] HTTP non HTTPS -x,RP-Entity Configuration response-metadata-client_id-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'client_id' parameter in the RP metadata uniquely identifies the RP, not Compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does the RP metadata contain correct value of 'client_id' parameter,In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP,RP,,Entity Configuration response | body | [^\n\r]* | payload | metadata.openid_relying_party.client_id | x_https_RP,The RP metadata of type 'openid_relying_party' must contain the parameter client_id and it must contain an HTTPS URL that uniquely identifies the RP,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] HTTP non HTTPS -x,RP-Entity Configuration response-metadata-client_registration_types,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'client_registration_types' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'client_registration_types' parameter,In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.client_registration_types,The RP metadata of type 'openid_relying_party' must contain the parameter client_registration_types and it has to be set to 'automatic'.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-client_registration_types-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'client_registration_types' parameter in the RP metadata is 'automatic'. Not Compliant otherwise,JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'client_registration_types' parameter,In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic',RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.client_registration_types[0] | [""automatic""]",The RP metadata of type 'openid_relying_party' must contain the parameter client_registration_types and it has to be set to 'automatic'.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-contacts,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the contacts claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the contacts claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The RP Metadata of type 'federation_entity' MUST contain contacts,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,"[PRIMA] Manca parametro federation_entity, ma รจ presente in openid_relying_party.contacts" -x,RP-Entity Configuration response-metadata-federation_resolve_endpoint,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the federation_resolve_endpoint claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the federation_resolve_endpoint claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_resolve_endpoint,The RP Metadata of type 'federation_entity' MUST contain federation_resolve_endpoint,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e federation_resolve_endpoint -x,RP-Entity Configuration response-metadata-grant_types,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'grant_types' parameter in the RP metadata ('openid_relying_party' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the grant_types claim,In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.grant_types,The RP metadata of type 'openid_relying_party' must contain the parameter grant_types and it must be a JSON array containing 'authorization_code' and 'refresh_token',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-grant_types-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'grant_types' parameter in the RP metadata is ['authorization_code', 'refresh_token'], not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct grant_types claim,In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token',RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.grant_types[0] | [""authorization_code"", ""refresh_token""]",The RP metadata of type 'openid_relying_party' must contain the parameter grant_types and it must be a JSON array containing 'authorization_code' and 'refresh_token',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-grant_types-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'grant_types' parameter in the RP metadata is a JSON, not Compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain correct type grant_types claim,In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_relying_party | {""type"":""object"", ""properties"":{""grant_types"":{""type"":""array""}}, ""requirement"":[""grant_type""]}",The RP metadata of type 'openid_relying_party' must contain the parameter grant_types and it must be a JSON array containing 'authorization_code' and 'refresh_token',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-homepage_uri,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the homepage_uri claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the homepage_uri claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.homepage_uri,The RP Metadata of type 'federation_entity' MUST contain homepage_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.28,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e homepage_uri -x,RP-Entity Configuration response-metadata-id_token_encrypted_response_alg,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'id_token_encrypted_response_alg' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter,In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_alg,The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro id_token_encrypted_response_alg -x,RP-Entity Configuration response-metadata-id_token_encrypted_response_alg-not_supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'id_token_encrypted_response_alg' parameter in the RP metadata does not contain the value ['RSA_1_5']. Not Compliant otherwise,JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter,In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].,RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_alg | [""RSA_1_5""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro id_token_encrypted_response_alg -x,RP-Entity Configuration response-metadata-id_token_encrypted_response_alg-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_encrypted_response_alg' parameter in the RP metadata is ['RSA-OAEP', 'RSA-OAEP-256']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_alg | [""RSA-OAEP"", ""RSA-OAEP-256""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro id_token_encrypted_response_alg -x,RP-Entity Configuration response-metadata-id_token_encrypted_response_enc,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'id_token_encrypted_response_enc' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter,In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_enc,The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_enc and it has to contain the content encryption algorithms. This parameter is required only if the id_token_encrypted_response_alg is given,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,This parameter is required only if the id_token_encrypted_response_alg is given,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro id_token_encrypted_response_enc -x,RP-Entity Configuration response-metadata-id_token_encrypted_response_enc-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_encrypted_response_enc' parameter in the RP metadata is ['A128CBC-HS256', 'A256CBC-HS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter,"In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_enc | [""A128CBC-HS256"", ""A256CBC-HS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_enc and it has to contain the content encryption algorithms. This parameter is required only if the id_token_encrypted_response_alg is given,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,This parameter is required only if the id_token_encrypted_response_alg is given,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro id_token_encrypted_response_enc -x,RP-Entity Configuration response-metadata-redirect_uris,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'redirect_uris' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'redirect_uris' parameter,In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.redirect_uris,The RP metadata of type 'openid_relying_party' must contain the parameter redirect_uris,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, -x,RP-Entity Configuration response-metadata-redirect_uris-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'redirect_uris' parameter in the RP metadata ('openid_relying_party' type) contains an HTTPS. Not Compliant otherwise,JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain an HTTPS 'redirect_uris' parameter,In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.,RP,,"Entity Configuration response | body | [^\r\n]* | payload | .metadata.openid_relying_party | {""type"": ""object"",""properties"": {""redirect_uris"": {""type"": ""array"",""items"": {""type"": ""string"",""format"": ""uri"",""pattern"": ""^https://.*$""}}},""required"": [""redirect_uris""]}",The RP metadata of type 'openid_relying_party' must contain the parameter redirect_uris of type HTTPS,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,F,failed,HTTP non HTTPS -x,RP-Entity Configuration response-metadata-grant_types,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'grant_types' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'grant_types' parameter,In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.grant_types,The RP metadata of type 'openid_relying_party' must contain the parameter grant_types,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, -x,RP-Entity Configuration response-metadata-grant_types-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'grant_types' parameter in the RP metadata ('openid_relying_party' type) contains authorization_code or refresh_token. Not Compliant otherwise,JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token,In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.,RP,,"Entity Configuration response | body | [^\r\n]* | payload | .metadata.openid_relying_party | {""type"": ""object"",""properties"": {""grant_types"": {""type"": ""array"",""items"": {""type"": ""string"",""enum"": [""authorization_code"", ""refresh_token""]}}},""required"": [""grant_types""]}",The RP metadata of type 'openid_relying_party' must contain the correct parameter grant_types,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, -x,RP-Entity Configuration response-metadata-jwks,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'jwks' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'jwks' parameter,In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.jwks,The RP metadata of type 'openid_relying_party' must contain the parameter jwks,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, -x,RP-Entity Configuration response-metadata-signed_jwks_uri,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'signed_jwks_uri' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'signed_jwks_uri' parameter,In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.signed_jwks_uri,The RP metadata of type 'openid_relying_party' must contain the parameter signed_jwks_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, -x,RP-Entity Configuration response-metadata-id_token_signed_response_alg,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'id_token_signed_response_alg' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'id_token_signed_response_alg' parameter,In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_signed_response_alg,The RP metadata of type 'openid_relying_party' must contain the parameter id_token_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-id_token_signed_response_alg-not_supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_signed_response_alg' parameter in the RP metadata does not contain ['none', 'HS256', 'HS384', 'HS512']. Not Compliant otherwise",JWT parameter not in JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_signed_response_alg | [""none"", ""HS256"", ""HS384"", ""HS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-id_token_signed_response_alg-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_signed_response_alg' parameter in the RP metadata is ['RS256', 'RS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'id_token_signed_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_signed_response_alg | [""RS256"", ""RS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-jwks,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'jwks' parameter in the RP metadata ('openid_relying_party' type) is present, not Compliant if is absent",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'jwks' parameter,"In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification",RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.jwks,The RP metadata of type 'openid_relying_party' must contain the parameter jwks,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-logo_uri,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the logo_uri claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The RP Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e logo_uri -x,RP-Entity Configuration response-metadata-logo_uri-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain correct type logo_uri claim,In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^(https?://).*\\.svg$""}},""required"":[""logo_uri""]}",The RP Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,P,passed,[MODIFICATO] Prima: Manca parametro federation_entity e logo_uri - [PRIMA] HTTP non HTTPS -x,RP-Entity Configuration response-metadata-organization_name,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the organization_name claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the organization_name claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The RP Metadata of type 'federation_entity' MUST contain organization_name,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e organization_name -x,RP-Entity Configuration response-metadata-policy_uri,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the policy_uri claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the policy_uri claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The RP Metadata of type 'federation_entity' MUST contain policy_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e policy_uri -x,RP-Entity Configuration response-metadata-token_endpoint_auth_method,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'token_endpoint_auth_method' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'token_endpoint_auth_method' parameter,In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.token_endpoint_auth_method,The RP metadata of type 'openid_relying_party' must contain the parameter token_endpoint_auth_method and it has to be set to 'private_key_jwt'.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-token_endpoint_auth_method-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'token_endpoint_auth_method' parameter in the RP metadata is 'one_of': 'private_key_jwt'. Not Compliant otherwise,JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'token_endpoint_auth_method' parameter,In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt',RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.token_endpoint_auth_method | [""private_key_jwt""]",The RP metadata of type 'openid_relying_party' must contain the parameter token_endpoint_auth_method and it has to be set to 'private_key_jwt'.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-userinfo_encrypted_response_alg,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_encrypted_response_alg' parameter in the RP metadata ('openid_relying_party' type) is present, Not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter,In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_encrypted_response_alg,The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-userinfo_encrypted_response_alg-not_supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'userinfo_encrypted_response_alg' parameter in the RP metadata does not contain the value ['RSA_1_5']. Not Compliant otherwise,JWT parameter not in JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter,In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].,RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_encrypted_response_alg | [""RSA_1_5""]",The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-userinfo_encrypted_response_alg-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_encrypted_response_alg' parameter in the RP metadata is ['RSA-OAEP', 'RSA-OAEP-256']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_encrypted_response_alg | [""RSA-OAEP"", ""RSA-OAEP-256""]",The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-userinfo_encrypted_response_enc,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'userinfo_encrypted_response_enc' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter,In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_encrypted_response_enc,The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_encrypted_response_enc and it has to contain the content encryption algorithms.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-userinfo_encrypted_response_enc-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_encrypted_response_enc' parameter in the RP metadata is ['A128CBC-HS256', 'A256CBC-HS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter,"In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_encrypted_response_enc | [""A128CBC-HS256"", ""A256CBC-HS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_encrypted_response_enc and it has to contain the content encryption algorithms.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-userinfo_signed_response_alg,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'userinfo_signed_response_alg' parameter in the RP metadata is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'userinfo_signed_response_alg' parameter,In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_signed_response_alg,The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-userinfo_signed_response_alg-not_supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_signed_response_alg' parameter in the RP metadata does not contain the values ['none', 'HS256', 'HS384', 'HS512']. Not Compliant otherwise",JWT parameter not in JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_signed_response_alg | [""none"", ""HS256"", ""HS384"", ""HS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-userinfo_signed_response_alg-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_signed_response_alg' parameter in the RP metadata is ['RS256', 'RS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_signed_response_alg | [""RS256"", ""RS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-response_types,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'response_types' parameter in the RP metadata ('openid_relying_party' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'response_types' parameter,In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.response_types,The RP metadata of type 'openid_relying_party' must contain the parameter response_types and it has to be a JSON array containing the value 'code',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-response_types-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'response_types' parameter in the RP metadata is a JSON Array. Not Compliant otherwise,JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain the 'response_types' parameter as a json,In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_relying_party | {""type"": ""object"", ""properties"": {""response_types"": {""type"": ""array""}}, ""required"": [""response_types""]}",The RP metadata of type 'openid_relying_party' must contain the parameter response_types and it has to be a JSON array containing the value 'code',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-response_types-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'response_types' parameter in the RP metadata contains the value 'code'. Not Compliant otherwise,JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain in the 'response_types' the value 'code',In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code',RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.response_types[0] | [""code""]",The RP metadata of type 'openid_relying_party' must contain the parameter response_types and it has to be a JSON array containing the value 'code',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-trust_marks,RP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the RP's entity configuration contain the trust_marks parameter,"To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.",RP,,Entity Configuration response | body | [^\r\n]* | payload | trust_marks,Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-trust_marks-type,RP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP's entity configuration contain a correct trust_marks parameter,"To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array",RP,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_marks"": {""type"": ""array""}}, ""required"": [""trust_marks""]}",Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-federation_fetch_endpoint,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_fetch_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the federation_fetch_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.federation_fetch_endpoint,The TA and SA metadata must contain the parameter federation_fetch_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-federation_list_endpoint,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_list_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the federation_list_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.federation_list_endpoint,The TA and SA metadata must contain the parameter federation_list_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-federation_resolve_endpoint,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_resolve_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the federation_resolve_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.federation_resolve_endpoint,The TA and SA metadata must contain the parameter federation_resolve_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-federation_trust_mark_status_endpoint,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_trust_mark_status_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.federation_trust_mark_status_endpoint,The TA and SA metadata must contain the parameter federation_trust_mark_status_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-homepage_uri,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'homepage_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the homepage_uri parameter,In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.homepage_uri,The TA and SA metadata must contain the parameter homepage_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.28,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-metadata-logo_uri,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'logo_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the logo_uri parameter,In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The TA and SA metadata must contain the parameter logo_uri and it must be in SVG format,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro logo_uri -x,TA-Entity Configuration response TA-metadata-logo_uri-type,TA metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response TA,Does the TA metadata contain correct type logo_uri claim,In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file,TA,,"Entity Configuration response TA | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://.*\\.svg$""}},""required"":[""logo_uri""]}",The TA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,HTTP non HTTPS -x,TA-Entity Configuration response TA-metadata-organization_name,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'organization_name' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the organization_name parameter,In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The TA and SA metadata must contain the parameter organization_name,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro organization_name -x,TA-Entity Configuration response TA-metadata-policy_uri,TA's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'policy_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Entity's metadata contain the policy_uri parameter,In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response TA | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The TA and SA metadata must contain the parameter policy_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro policy_uri -x,SA-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SA,,"Entity Configuration response SA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-trust_marks,SA's entity configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'trust_marks' parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the entity configuration of the SA contain the trust marks,"The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.",SA,,Entity Configuration response | body | [^\r\n]* | payload | trust_marks,"The RP, OP or SA must include the trust marks in the entity configuration as a result of the onboarding process",SPID_CIE_OIDC#entity-configuration-leaves-and-intermediaries; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-trust_marks-type,SA's entity configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'trust_marks' parameter is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the entity configuration of the SA contain a correct trust_marks parameter,"The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.",SA,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_marks"": {""type"": ""object"", ""additionalProperties"": {""type"": ""array""}}}, ""required"": [""trust_marks""]}","The RP, OP or SA must include the trust marks in the entity configuration as a result of the onboarding process",SPID_CIE_OIDC#entity-configuration-leaves-and-intermediaries; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,AA-Entity Configuration response AA-signature,Entity's Entity Configuration,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response AA,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",AA,,Entity Configuration response AA | body | [^\r\n]* | X_key_AA,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response AA-sub-value,Entity's Entity Configuration,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response AA,Does entity configuration AA contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",AA,,Entity Configuration response AA | body | [^\r\n]* | payload | sub | X_key_AA,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response AA-metadata-logo_uri-type,AA metadata,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response AA,Does the AA metadata contain correct type logo_uri claim,In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file,AA,,"Entity Configuration response AA | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://.*\\.svg$""}},""required"":[""logo_uri""]}",The AA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response AA-metadata-resource-type,AA metadata,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the resource claim contains one or more https URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response AA,Does the AA metadata contain correct type resource claim,In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL,AA,,"Entity Configuration response AA | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"": ""object"",""properties"": {""resource"": {""oneOf"": [{""type"": ""string"", ""format"": ""uri"", ""pattern"": ""^https://""},{""type"": ""array"",""items"": {""type"": ""string"", ""format"": ""uri"", ""pattern"": ""^https://""},""minItems"": 1}]}},""required"": [""resource""]}",The AA Metadata of type 'federation_entity' MUST contain resource,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response AA-metadata-authorization_endpoint-value,AA metadata,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the authorization_endpoint claim contains ""private"", not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response AA,Does the AA metadata contain correct type authorization_endpoint claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is ""private""",AA,,"Entity Configuration response AA | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"": ""object"",""properties"": {""authorization_endpoint"": {""type"": ""string"",""const"": ""private""}},""required"": [""authorization_endpoint""]}",The AA Metadata of type 'federation_entity' MUST contain authorization_endpoint,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response AA-metadata-op_policy_uri,AA metadata,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the op_policy_uri claim is in the AA metadata, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response AA,Does the AA metadata contain op_policy_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked,AA,,Entity Configuration response AA | body | [^\n\r]* | payload | .metadata.openid_provider.op_policy_uri,The AA Metadata of type 'openid_provider' MUST contain op_policy_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response AA-metadata-op_policy_uri-type,AA metadata,Entity Configuration response AA,Trigger Entity Configuration response AA,"Compliant if the op_policy_uri claim contains an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response AA,Does the AA metadata contain correct type op_policy_uri claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is ""private""",AA,,"Entity Configuration response AA | body | [^\n\r]* | payload | .metadata.openid_provider | {""type"": ""object"",""properties"": {""op_policy_uri"": {""type"": ""string"",""format"": ""uri""}},""required"": [""op_policy_uri""]}",The AA Metadata of type 'openid_provider' MUST contain op_policy_uri as URL,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,OP-Entity Configuration response OP-signature,Entity's Entity Configuration,Entity Configuration response OP,Trigger Entity Configuration response OP,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response OP,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",OP,,Entity Configuration response OP | body | [^\r\n]* | X_key_OP,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Entity Configuration response OP-sub-value,Entity's Entity Configuration,Entity Configuration response OP,Trigger Entity Configuration response OP,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response OP,Does entity configuration OP contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",OP,,Entity Configuration response OP | body | [^\r\n]* | payload | sub | X_url_OP,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response RP-signature,Entity's Entity Configuration,Entity Configuration response RP,Trigger Entity Configuration response RP,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response RP,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",RP,,Entity Configuration response RP | body | [^\r\n]* | X_key_RP,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response RP-sub-value,Entity's Entity Configuration,Entity Configuration response RP,Trigger Entity Configuration response RP,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response RP,Does entity configuration RP contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",RP,,Entity Configuration response RP | body | [^\r\n]* | payload | sub | X_url_RP,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,SA-Entity Configuration response SA-signature,Entity's Entity Configuration,Entity Configuration response SA,Trigger Entity Configuration response SA,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response SA,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",SA,,Entity Configuration response SA | body | [^\r\n]* | X_key_SA,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response SA-sub-value,Entity's Entity Configuration,Entity Configuration response SA,Trigger Entity Configuration response SA,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response SA,Does entity configuration SA contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",SA,,Entity Configuration response SA | body | [^\r\n]* | payload | sub | X_url_SA,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response SA-metadata-logo_uri-type,SA metadata,Entity Configuration response SA,Trigger Entity Configuration response SA,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response SA,Does the TA metadata contain correct type logo_uri claim,In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file,SA,,"Entity Configuration response SA | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://.*\\.svg$""}},""required"":[""logo_uri""]}",The SA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,TA-Entity Configuration response TA-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response TA,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",TA,,"Entity Configuration response TA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,F,P,passed,[PRIMA] There is only: federation_entity -x,TA-Entity Configuration response TA-constraints,TA's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the constraints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response TA,Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked",TA,,Entity Configuration response TA | body | [^\r\n]* | payload | constraints,TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-constraints-value,TA's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the constraints parameter contains the max_path_length attribute, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response TA,Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length',"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length",TA,,Entity Configuration response TA | body | [^\r\n]* | payload | constraints.max_path_length,TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-constraints-type,TA's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the constraints parameter is a JSON object, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response TA,Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object",TA,,"Entity Configuration response TA | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""constraints"": {""type"": ""object"", ""properties"": {""max_path_length"": {}}, ""required"": [""max_path_length""]}, ""required"": [""constraints""]}}",TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-jwks,Federation Configuration (TA's Entity Configuration),Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the TA's Entity Configuration response contains the TA's public keys, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response TA,Does the Federation Configuration contain the TA public keys,"The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present",TA,,Entity Configuration response TA | body | [^\r\n]* | payload | jwks,"The Federation configuration contains the Trust Anchor public key for the signature operations, the maximum number of Intermediaries allowed between a Leaf and the Trust Anchor (max_path length) and the authorities who are enabled to issue the Trust Marks (trust_marks_issuers).",SPID_CIE_OIDC#Configuration-of-the-federation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/la_federazione_delle_identita.html#configurazione-della-federazione,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,SA-Entity Configuration response-metadata-contacts,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'contacts' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the contacts parameter,In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The TA and SA metadata must contain the parameter contacts,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-federation_fetch_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_fetch_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_fetch_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_fetch_endpoint,The TA and SA metadata must contain the parameter federation_fetch_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-federation_list_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_list_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_list_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_list_endpoint,The TA and SA metadata must contain the parameter federation_list_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-federation_resolve_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_resolve_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_resolve_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_resolve_endpoint,The TA and SA metadata must contain the parameter federation_resolve_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-federation_trust_mark_status_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_trust_mark_status_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_trust_mark_status_endpoint,The TA and SA metadata must contain the parameter federation_trust_mark_status_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-homepage_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'homepage_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the homepage_uri parameter,In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.homepage_uri,The TA and SA metadata must contain the parameter homepage_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.28,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-logo_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'logo_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the logo_uri parameter,In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The TA and SA metadata must contain the parameter logo_uri and it must be in SVG format,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-organization_name,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'organization_name' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the organization_name parameter,In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The TA and SA metadata must contain the parameter organization_name,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-policy_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'policy_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the policy_uri parameter,In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The TA and SA metadata must contain the parameter policy_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,TA-Entity Configuration response TA-signature,Entity's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response TA,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",TA,,Entity Configuration response TA | body | [^\r\n]* | X_key_TA,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Signature non corretta -x,TA-Entity Configuration response TA-sub-value,Entity's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response TA,Does entity configuration TA contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",TA,,Entity Configuration response TA | body | [^\r\n]* | payload | sub | X_url_TA,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-trust_marks_issuers,TA's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the trust_marks_issuers parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response TA,Does TA's Entity configuration contain the trust_marks_issuers parameter,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked",TA,,Entity Configuration response TA | body | [^\r\n]* | payload | trust_mark_issuers,TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Configuration response TA-trust_marks_issuers-type,TA's Entity Configuration,Entity Configuration response TA,Trigger Entity Configuration response TA,"Compliant if the trust_mark_issuers parameter is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response TA,Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.",TA,,"Entity Configuration response TA | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_mark_issuers"": {""type"": ""object"", ""additionalProperties"": {""type"": ""array""}}}, ""required"": [""trust_mark_issuers""]}",TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,SA-Entity Listing endpoint response-exposed,Entity Listing endpoint response,Entity Listing endpoint response,Trigger Entity Listing endpoint response,"Compliant if the Response contains a JSON list (array), not compliant otherwise",HTTP parameter type,Correct Input,Entity Listing endpoint response,Does the Entity expose the entity listing endpoint,"In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected",SA,,"Entity Listing response | body | [^\r\n]*.^\{(\s*""[^""]*""\s*:\s*(?:""[^""]*"",?|\[[^\r\n]*\],?|\{[^\r\n]*\},?)\s*)*\}$",This test simply checks if the entity exposes the /.well-known/openid-federation endpoint and if it,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,TA-Entity Listing endpoint response-exposed,Entity Listing endpoint response,Entity Listing endpoint response,Trigger Entity Listing endpoint response,"Compliant if the response contains a JSON list, not compliant otherwise",HTTP parameter type,Correct Input,Entity Listing endpoint response,Does the Entity expose the entity listing endpoint,"In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected",TA,,"Entity Listing response | body | \[\s*""[^""]*""(?:,\s*""[^""]*"")*\s*\]$",This test simply checks if the entity exposes the /.well-known/openid-federation endpoint and if it,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Entity Listing response -x,SA-Entity Statement response SA OP-trust_mark-sa_profile,Trust Mark generated for an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the sa_profile claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the issued intermediary Trust Mark contain the sa_profile claim,"A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sa_profile,"In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -o,SA-Entity Statement response SA OP-trust_mark-sa_profile-value,Trust Mark generated for an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the sa_profile claim is 'full' or 'light', not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the issued intermediary Trust Mark contain a correct sa_profile claim,"A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""sa_profile"": { ""type "": ย ""string "", ""enum "": [ ""full "", ย ""light ""]}}, ""required "": [ ""sa_profile ""]}","In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-fiscal_number-or-vat_number,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the fiscal_number or vat_number claim,nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim,"In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""fiscal_number"": {}, ""vat_number"":{}},""anyOf"":[{""required"":[""fiscal_number""]},{""required"":[""vat_number""]}]}},""required"":[""id_code""]}",The vat_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the fiscal_number claim. The fiscal_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the vat_number claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-id-value,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the id is present, has the structure /// and the entity_type and trustmark_profile parts of the URL have values among the allowed ones, not compliant otherwise",/ manual: check content,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain a correct id claim,"The id of the trust mark must have the structure ///. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked. If it is present, than the structure of the id must be as described above. The entity type can be one among 'openid_relying_party', 'openid_provider', 'intermediary' 'oauth_resource', whereas the trustmark profile can be 'public' or private'",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id | openid_relying_party | openid_provider | intermediate | oauth_resource,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,Da capire come individuare che solo l'entity type sia all'interno dei valori dati,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-ipa_code,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim,nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": { ""id_code"": { ""type"": ""object"", ""properties"": {""ipa_code"": {}},""required"": [""ipa_code""]}},""required"": [""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA OP-trust_mark-ipa_code-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the ipa_code in the id_code claim of a trust mark is a string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""ipa_code"": { ""type"":""string""}},""required"":[""ipa_code""]}},""required"":[""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-constraints,Entity Statement issued by the SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the constraints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA OP,Does Entity Statements issued by the SA contain the constraints parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | constraints,The constraints parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-exp,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the exp parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA OP,Does Entity Statements issued by the SA contain the exp parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | exp,The exp parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-exp-type,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the exp parameter is a timestamp, not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response SA OP,Does Entity Statements issued by the SA contain a correct exp parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""exp"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""exp""]}",The exp parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-iat,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iat parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA OP,Does Entity Statements issued by the SA contain the iat parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | iat,The iat parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-iat-type,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iat parameter is a timestamp, not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response SA OP,Does Entity Statements issued by the SA contain a correct iat parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""iat"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""iat""]}",The iat parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-jwks,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA OP,Does Entity Statements issued by the SA contain the jwks parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | jwks,The jwks parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-metadata_policy,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the metadata_policy parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA OP,Does Entity Statements issued by the SA contain the metadata_policy parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | metadata_policy,The metadata_policy parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-release,SA's fetch Entity Statement Endpoint response regarding the Entity we are considering,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the SA's return the Entity Statement regarding the Entity we are considering, not compliant otherwise",HTTP parameter type,Correct Input,Entity Statement response SA OP,Does the SA correctly release the Entity statements,"After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.",SA,,Entity Statement response SA OP | body | [^\r\n]*.^([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"The Federation Authority or an Intermediary MUST publish the Leaf Entity Statement containing the Federation public keys of the onboarded Entity and the TMs released for it. An Entity publishes an ES related to a subordinate, at its Fetch Endpoint.",SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-sub,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the sub parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA OP,Does Entity Statements issued by the SA contain the sub parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | sub,The sub parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-claims,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the claims claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain the claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | claims,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-claims-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the claims claim is present and its value is a list, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain a correct claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""claims"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""claims""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim and it is a list",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-email,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the email claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | email,The issued Trust Marks must have the email claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA OP-trust_mark-email-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the email claim is of type string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the correct type of email claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type "": ""object "", ""properties "": { ""email "": { ""type "": ""string "", ""format "": ""email "" } }, ""required "": [ ""email ""] } ",The issued Trust Marks must have the email claim as string,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-exp,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the exp claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the exp claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | exp,The issued Trust Marks must have the exp claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-exp-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the exp claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the exp type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""exp"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""exp""]}",The issued Trust Marks must have the exp claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iat claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the iat claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iat,The issued Trust Marks must have the iat claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-iat-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iat claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the correct iat type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""iat"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""iat""]}",The issued Trust Marks must have the iat claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-id,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the id claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the id claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-id_code,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the id_code claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id_code,The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-id_code-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the id_code claim is a JSON Object, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain correcty type of id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""id_code""]}",The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-iss,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iss parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA OP,Does Entity Statements issued by the SA contain the iss parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | iss,The iss parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-iss-value,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the client assertion JWT contains the iss claim and it is set to the client ID of the SA sending the Entity Statement, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Entity Statement response SA OP,Does the Entity Statement's JWT payload contain a correct 'iss' claim,"This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA",SA,Entity Configuration response SA | body | [^\r\n]* | payload | iss,Entity Statement response SA OP | url | client_assertion | payload | iss | conf_iss,The iss parameter is required in the Entity Statement released by the SA. Its value must be the Entity Identifier of the issuer of the statement,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Federation,Passive,M,Mismatch of parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the logo_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-logo_uri-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the logo_uri claim is value is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain correct type of logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""logo_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""logo_uri""]}",The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-organization_name,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the organization_name claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_name,The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-organization_name-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the organization_name claim is type string and has value ""public"" or ""private"", not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the correct type of organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""organization_name "": { ""type "": ย ""string "", ""enum "": [ ""private "", ย ""public ""]}}, ""required "": [ ""organization_name ""]}",The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-organization_type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the organization_type claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_type,The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -o,SA-Entity Statement response SA OP-trust_mark-organization_type-value,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the organization_type claim contains 'public' or 'private', not compliant otherwise",nested JWT parameter values,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain correct value for organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | organization_type | [""public"", ""private""]",The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-policy_uri,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the policy_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain the policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | policy_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-policy_uri-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the policy_uri claim is present and its value is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain a correct policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""policy_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""policy_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-ref,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the ref claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | ref,The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-ref-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the ref claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain an URL in the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""ref"": { ""type"": ""string"", ""format"": ""uri"" } }, ""required"": [""ref""] }",The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-service_documentation,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the service_documentation claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain the service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | service_documentation,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-service_documentation-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the service_documentation claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain a correct service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""service_documentation"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""service_documentation""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-signature,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the signature of the trust marks in the entity statement is valid, not compliant otherwise",nested JWT signature check,Correct Input,Entity Statement response SA OP,Does the SA correctly sign the Trust marks,"To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | X_key_SA,The Trust Marks (TM) are signed JWT,SPID_CIE_OIDC#Trust-Marks; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-signature,Entity statement issued by the SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the signature is verified, not compliant otherwise",JWT signature check,Correct Input,Entity Statement response SA OP,Does the SA correctly signs the Entity Statement,"In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header",SA,,Entity Statement response SA OP | body | [^\r\n]* | X_key_SA,Entity Statements must be signed,SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#firma-di-entity-statement,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-sub,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the sub claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sub,The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -o,SA-Entity Statement response SA OP-trust_mark-sub-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the sub claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain a correct sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""sub"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""sub""]}",The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-tos_uri,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the tos_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain the tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | tos_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-tos_uri-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the tos_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the issued oauth_resource Trust Mark contain a correct tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""tos_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""tos_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_marks,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA OP,Does Entity Statements issued by the SA contain the trust_marks parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks,The trust_marks parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA OP-trust_mark-iss,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iss claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain the iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA OP-trust_mark-iss-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iss claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA OP,Does the Trust Mark contain a correct iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""iss"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""iss""]}",The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA RP-trust_mark-sa_profile,Trust Mark generated for an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the sa_profile claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the issued intermediary Trust Mark contain the sa_profile claim,"A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sa_profile,"In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -o,SA-Entity Statement response SA RP-trust_mark-sa_profile-value,Trust Mark generated for an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the sa_profile claim is 'full' or 'light', not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the issued intermediary Trust Mark contain a correct sa_profile claim,"A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""sa_profile"": { ""type "": ย ""string "", ""enum "": [ ""full "", ย ""light ""]}}, ""required "": [ ""sa_profile ""]}","In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-fiscal_number-or-vat_number,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the fiscal_number or vat_number claim,nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim,"In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""fiscal_number"": {}, ""vat_number"":{}},""anyOf"":[{""required"":[""fiscal_number""]},{""required"":[""vat_number""]}]}},""required"":[""id_code""]}",The vat_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the fiscal_number claim. The fiscal_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the vat_number claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-id-value,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the id is present, has the structure /// and the entity_type and trustmark_profile parts of the URL have values among the allowed ones, not compliant otherwise",/ manual: check content,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain a correct id claim,"The id of the trust mark must have the structure ///. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked. If it is present, than the structure of the id must be as described above. The entity type can be one among 'openid_relying_party', 'openid_provider', 'intermediary' 'oauth_resource', whereas the trustmark profile can be 'public' or private'",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id | openid_relying_party | openid_provider | intermediate | oauth_resource,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,Da capire come individuare che solo l'entity type sia all'interno dei valori dati,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-ipa_code,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim,nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": { ""id_code"": { ""type"": ""object"", ""properties"": {""ipa_code"": {}},""required"": [""ipa_code""]}},""required"": [""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-ipa_code-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the ipa_code in the id_code claim of a trust mark is a string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""ipa_code"": { ""type"":""string""}},""required"":[""ipa_code""]}},""required"":[""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-constraints,Entity Statement issued by the SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the constraints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA RP,Does Entity Statements issued by the SA contain the constraints parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | constraints,The constraints parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-exp,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the exp parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA RP,Does Entity Statements issued by the SA contain the exp parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | exp,The exp parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-exp-type,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the exp parameter is a timestamp, not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response SA RP,Does Entity Statements issued by the SA contain a correct exp parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""exp"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""exp""]}",The exp parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-iat,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iat parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA RP,Does Entity Statements issued by the SA contain the iat parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | iat,The iat parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-iat-type,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iat parameter is a timestamp, not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response SA RP,Does Entity Statements issued by the SA contain a correct iat parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""iat"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""iat""]}",The iat parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-jwks,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA RP,Does Entity Statements issued by the SA contain the jwks parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | jwks,The jwks parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-metadata_policy,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the metadata_policy parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA RP,Does Entity Statements issued by the SA contain the metadata_policy parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | metadata_policy,The metadata_policy parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA RP-metadata_policy-jwks,Metadata policy in an Entity Statement issued by the SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the jwks parameter is present in the openid_relying_party type and it contains the RP's JWKS (type json), not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response SA RP,Does the SA's metadata policy for an RP contain the jwks parameter,"In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations",SA,,"Entity Statement response SA RP | body | [^\n\r]* | payload | .metadata_policy.openid_relying_party.jwks | {""type"":""object"", ""properties"": {""value"" :{}}, ""required"": [""value""]}",The jwks claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that an SA establishes for an RP that is its direct descendant,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-release,SA's fetch Entity Statement Endpoint response regarding the Entity we are considering,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the SA's return the Entity Statement regarding the Entity we are considering, not compliant otherwise",HTTP parameter type,Correct Input,Entity Statement response SA RP,Does the SA correctly release the Entity statements,"After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.",SA,,Entity Statement response SA RP | body | [^\r\n]*.^([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"The Federation Authority or an Intermediary MUST publish the Leaf Entity Statement containing the Federation public keys of the onboarded Entity and the TMs released for it. An Entity publishes an ES related to a subordinate, at its Fetch Endpoint.",SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-sub,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the sub parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA RP,Does Entity Statements issued by the SA contain the sub parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | sub,The sub parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-claims,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the claims claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain the claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | claims,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-claims-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the claims claim is present and its value is a list, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain a correct claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""claims"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""claims""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim and it is a list",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-email,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the email claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | email,The issued Trust Marks must have the email claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-email-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the email claim is of type string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the correct type of the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type "": ""object "", ""properties "": { ""email "": { ""type "": ""string "", ""format "": ""email "" } }, ""required "": [ ""email ""] } ",The issued Trust Marks must have the email claim as string,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-exp,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the exp claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the exp claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | exp,The issued Trust Marks must have the exp claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA RP-trust_mark-exp-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the exp claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the exp type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""exp"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""exp""]}",The issued Trust Marks must have the exp claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iat claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the iat claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iat,The issued Trust Marks must have the iat claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iat type is in UNIX Timestamp in the trust mark payload, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the correct iat type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""iat"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""iat""]}",The issued Trust Marks must have the iat claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-id,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the id claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the id claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-id_code,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the id_code claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id_code,The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-id_code-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the id_code claim is a JSON Object, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain correcty type of id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""id_code""]}",The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-iss,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iss parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA RP,Does Entity Statements issued by the SA contain the iss parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | iss,The iss parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-iss-value,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the client assertion JWT contains the iss claim and it is set to the client ID of the SA sending the Entity Statement, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Entity Statement response SA RP,Does the Entity Statement's JWT payload contain a correct 'iss' claim,"This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA",SA,Entity Configuration response SA | body | [^\r\n]* | payload | iss,Entity Statement response SA RP | url | client_assertion | payload | iss | conf_iss,The iss parameter is required in the Entity Statement released by the SA. Its value must be the Entity Identifier of the issuer of the statement,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Federation,Passive,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the logo_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-logo_uri-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the logo_uri claim is value is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain correct type of logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""logo_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""logo_uri""]}",The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-organization_name,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the organization_name claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_name,The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA RP-trust_mark-organization_name-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the organization_name claim is type string and has value ""public"" or ""private"", not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the correct type of organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""organization_name "": { ""type "": ย ""string "", ""enum "": [ ""private "", ย ""public ""]}}, ""required "": [ ""organization_name ""]}",The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-organization_type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the organization_type claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_type,The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-organization_type-value,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the organization_type claim contains 'public' or 'private', not compliant otherwise",nested JWT parameter values,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain correct value for organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | organization_type | [""public"", ""private""]",The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-policy_uri,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the policy_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain the policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | policy_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-policy_uri-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the policy_uri claim is present and its value is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain a correct policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""policy_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""policy_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-ref,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the ref claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | ref,The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA RP-trust_mark-ref-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the ref claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain an URL in the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""ref"": { ""type"": ""string"", ""format"": ""uri"" } }, ""required"": [""ref""] }",The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-service_documentation,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the service_documentation claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain the service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | service_documentation,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-service_documentation-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the service_documentation claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain a correct service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""service_documentation"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""service_documentation""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-signature,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the signature of the trust marks in the entity statement is valid, not compliant otherwise",nested JWT signature check,Correct Input,Entity Statement response SA RP,Does the SA correctly sign the Trust marks,"To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | X_key_SA,The Trust Marks (TM) are signed JWT,SPID_CIE_OIDC#Trust-Marks; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-signature,Entity statement issued by the SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the signature is verified, not compliant otherwise",JWT signature check,Correct Input,Entity Statement response SA RP,Does the SA correctly signs the Entity Statement,"In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header",SA,,Entity Statement response SA RP | body | [^\r\n]* | X_key_SA,Entity Statements must be signed,SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#firma-di-entity-statement,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-sub,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the sub claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sub,The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-sub-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the sub claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain a correct sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""sub"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""sub""]}",The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-tos_uri,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the tos_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain the tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | tos_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_mark-tos_uri-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the tos_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the issued oauth_resource Trust Mark contain a correct tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""tos_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""tos_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -,SA-Entity Statement response SA RP-trust_marks,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response SA RP,Does Entity Statements issued by the SA contain the trust_marks parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks,The trust_marks parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA RP-trust_mark-iss,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iss claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain the iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Statement response SA RP-trust_mark-iss-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iss claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response SA RP,Does the Trust Mark contain a correct iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""iss"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""iss""]}",The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,TA-Entity Statement response TA OP-trust_mark-fiscal_number-or-vat_number,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the fiscal_number or vat_number claim,nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim,"In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""fiscal_number"": {}, ""vat_number"":{}},""anyOf"":[{""required"":[""fiscal_number""]},{""required"":[""vat_number""]}]}},""required"":[""id_code""]}",The vat_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the fiscal_number claim. The fiscal_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the vat_number claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,[ORA] Manca id_code -,TA-Entity Statement response TA OP-trust_mark-ipa_code-value,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim for public organizations,nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": { ""id_code"": { ""type"": ""object"", ""properties"": {""ipa_code"": {}},""required"": [""ipa_code""]}},""required"": [""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations.,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,[ORA] Manca id_code -x,TA-Entity Statement response TA OP-trust_mark-ipa_code,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim,nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | $.id_code.ipa_code,The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,[ORA] Manca id_code -x,TA-Entity Statement response TA OP-trust_mark-ipa_code-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the ipa_code in the id_code claim of a trust mark is a string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""ipa_code"": { ""type"":""string""}},""required"":[""ipa_code""]}},""required"":[""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,[ORA] Manca id_code -x,TA-Entity Statement response TA OP-constraints,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the constraints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA OP,Does Entity Statements issued by the TA contain the constraints parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | constraints,The constraints parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro constraints -x,TA-Entity Statement response TA OP-exp,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the exp parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA OP,Does Entity Statements issued by the TA contain the exp parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | exp,The exp parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-iat,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iat parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA OP,Does Entity Statements issued by the TA contain the iat parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | iat,The iat parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-jwks,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA OP,Does Entity Statements issued by the TA contain the jwks parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | jwks,The jwks parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-metadata_policy,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the metadata_policy parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA OP,Does Entity Statements issued by the TA contain the metadata_policy parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy,The metadata_policy parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-metadata_policy-acr_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the acr_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.acr_values_supported | {""type"": ""object"", ""properties"": {""subset_of"":{}, ""superset_of"":{}},""required"":[""subset_of"", ""superset_of""]}",The acr_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-acr_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the acr_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.acr_values_supported.subset_of | [""https://www.spid.gov.it/SpidL1"", ""https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL3""]",The acr_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-iss,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iss parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA OP,Does Entity Statement issued by the TA contain the iss parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | iss,The iss parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the authorization_response_iss_parameter_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.authorization_response_iss_parameter_supported,The authorization_response_iss_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims_parameter_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.claims_parameter_supported,The claims_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims_parameter_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.claims_parameter_supported.value,The claims_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-claims_parameter_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims_parameter_supported parameter is present in the openid_provider type and contains the value 'one_of': ['true'], not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.claims_parameter_supported | {""type"": ""object"", ""properties"": {""value"": {""const"": true}}, ""required"": [""value""]}",The claims_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-client_registration_types_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the client_registration_types_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.client_registration_types_supported.subset_of,The client_registration_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-client_registration_types_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the client_registration_types_supported parameter is present in the openid_provider type and contains the key 'one_of' not compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.client_registration_types_supported.subset_of,The client_registration_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-client_registration_types_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the client_registration_types_supported parameter is present in the openid_provider type and contains the value 'one_of': ['automatic'], not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.client_registration_types_supported | {""type"": ""object"", ""properties"": {""subset_of"": {""const"": ""automatic""}}, ""required"": [""subset_of""]}",The client_registration_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-code_challenge_methods_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the code_challenge_methods_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.code_challenge_methods_supported.subset_of,The code_challenge_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-code_challenge_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the code_challenge_methods_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['S256'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.code_challenge_methods_supported.subset_of | [""S256""]",The code_challenge_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-grant_types_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the grant_types_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.grant_types_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The grant_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-grant_types_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the grant_types_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['refresh_token', 'authorization_code'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.grant_types_supported.subset_of | [""refresh_token"", ""authorization_code""]",The grant_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_encryption_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The id_token_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -,TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_enc_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_enc_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_encryption_enc_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The id_token_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-id_token_encryption_enc_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_enc_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of | [""A128CBC-HS256"", ""A256CBC-HS512""]",The id_token_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-id_token_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_signing_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_signing_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The id_token_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,message type - validate | {head/body/url} | jwt_name | {header/payload} | param_path,,,,,,,TRUE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-id_token_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The id_token_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,message type - validate | {head/body/url} | jwt_name | {header/payload} | param_path | param_value1 | param_value2 | ...,,,,,,,TRUE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-incorrect-id_token_encryption_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of | [""RSA_1_5""]",The id_token_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-incorrect-id_token_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_signing_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The id_token_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-incorrect-request_authentication_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_signing_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not Compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The request_authentication_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-incorrect-userinfo_encryption_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of | [""RSA_1_5""]",The userinfo_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-incorrect-userinfo_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_signing_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512']",JWT list parameter does not contain,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The userinfo_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_methods_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.request_authentication_methods_supported,The request_authentication_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,message type - validate | {head/body/url} | jwt_name | {header/payload} | param_path,,,,,,,TRUE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_methods_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.request_authentication_methods_supported.value,The request_authentication_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-request_authentication_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_methods_supported parameter is present in the openid_provider type and the key 'one_of' is valued with ['request_object'], not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_authentication_methods_supported | {""type"": ""object"", ""properties"": {""value"": {""const"": ""request_object""}}, ""required"": [""value""]}",The request_authentication_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-request_authentication_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_signing_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.request_authentication_signing_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The request_authentication_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-request_authentication_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of | [""RS256"", ""RS512""]",The request_authentication_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -o,TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_parameter_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the request_parameter_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.request_parameter_supported,The request_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_parameter_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.request_parameter_supported.value,The request_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -,TA-Entity Statement response TA OP-metadata_policy-request_object_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the request_object_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'superset_of' or 'subset_of',JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_parameter_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The request_object_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -,TA-Entity Statement response TA OP-metadata_policy-request_object_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the request_object_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'superset_of' or 'subset_of',JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_parameter_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]} [""RS256"", ""RS512""]",The request_object_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,Clarifying docs,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-request_parameter_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_parameter_supported parameter is present in the openid_provider type and contains the value 'one_of': ['true'], not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_parameter_supported | {""type"": ""object"", ""properties"": {""value"": {""const"": true}}, ""required"": [""value""]}",The request_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-response_modes_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_modes_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.response_modes_supported | {""type"": ""object"", ""properties"": {""subset_of"":{}, ""superset_of"":{}}, ""required"": [""subset_of"", ""superset_of""]}",The response_modes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-response_modes_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_modes_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['form_post', 'query'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.response_modes_supported.subset_of | [""form_post"", ""query""]",The response_modes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-response_types_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_types_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.response_types_supported.subset_of,The response_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-response_types_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_types_supported parameter is present in the openid_provider type and contains the value 'one_of': ['code'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.response_types_supported.subset_of | [""code""]",The response_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-revocation_endpoint_auth_methods_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the revocation_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of,The revocation_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-revocation_endpoint_auth_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the revocation_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the value 'one_of': ['private_key_jwt'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of | [""private_key_jwt""]",The revocation_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-scopes_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the scopes_supported parameter is present in the openid_provider typeand contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.scopes_supported | {""type"": ""object"", ""properties"": {""subset_of"":{}, ""superset_of"":{}}, ""required"": [""subset_of"", ""superset_of""]}",The scopes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-scopes_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the scopes_supported parameter is present in the openid_provider typeand contains the value 'subset_of': ['openid', 'offline_access', 'profile', 'email'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.scopes_supported.subset_of | [""openid"", ""offline_access"", ""profile"", ""email""]",The scopes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-subject_types_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the subject_types_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.subject_types_supported.subset_of,The subject_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-subject_types_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the subject_types_supported parameter is present in the openid_provider type and contains the value 'one_of': ['pairwise'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.subject_types_supported.subset_of | [""pairwise""]",The subject_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_methods_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of,The token_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the value 'one_of': ['private_key_jwt'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of | [""private_key_jwt""]",The token_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_signing_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The token_endpoint_auth_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-not-supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_signing_alg_values_supported parameter is present in the openid_provider type and not contains the values ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The token_endpoint_auth_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The token_endpoint_auth_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_alg_values_supported parameter is presentin the openid_provider type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.userinfo_encryption_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The userinfo_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_alg_values_supported parameter is presentin the openid_provider type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The userinfo_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_enc_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_enc_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.userinfo_encryption_enc_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The userinfo_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-userinfo_encryption_enc_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_enc_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of | [""A128CBC-HS256"", ""A256CBC-HS512""]",The userinfo_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-metadata_policy-userinfo_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_signing_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant if is missing or empty",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.userinfo_signing_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The userinfo_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary -x,TA-Entity Statement response TA OP-metadata_policy-userinfo_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The userinfo_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA OP-release,TA's fetch Entity Statement Endpoint response regarding the Entity we are considering,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the TA's return the Entity Statement regarding the Entity we are considering, not compliant otherwise",HTTP parameter type,Correct Input,Entity Statement response TA OP,Does the TA correctly release the Entity statements,"After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.",TA,,Entity Statement response TA OP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),The Federation Authority or an Intermediary MUST publish the Leaf Entity Statement containing the Federation public keys of the onboarded Entity and the TMs released for it.,SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-sub,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the sub parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA OP,Does Entity Statements issued by the TA contain the sub parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | sub,The sub parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-trust_mark-claims,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain the claims claim,"In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | claims,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro claim -o,TA-Entity Statement response TA OP-trust_mark-claims-type,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims claim is a list of JSON Objects, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain a correct claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""claims"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""claims""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro claims -x,TA-Entity Statement response TA OP-trust_mark-email,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the email claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | email,The issued Trust Marks must have the email claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro email -,TA-Entity Statement response TA OP-trust_mark-email-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the email claim is of type string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the correct type of the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"":""object"",""properties"":{""email"":{""type"":""string"",""format"":""email""}},""required "":[""email""]}",The issued Trust Marks must have the email claim as string,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No email -x,TA-Entity Statement response TA OP-trust_mark-exp,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the exp claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the exp claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | exp,The issued Trust Marks must have the exp claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro exp -x,TA-Entity Statement response TA OP-trust_mark-exp-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the exp claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the exp type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""exp"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""exp""]}",The issued Trust Marks must have the exp claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No exp -x,TA-Entity Statement response TA OP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iat claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the iat claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iat,The issued Trust Marks must have the iat claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA OP-trust_mark-iat-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iat type is in UNIX Timestamp in the trust mark payload, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the correct iat type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""iat"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""iat""]}",The issued Trust Marks must have the iat claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, -x,TA-Entity Statement response TA OP-trust_mark-id,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the id claim,"The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the authorization_response_iss_parameter_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value,The authorization_response_iss_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto -x,TA-Entity Statement response TA OP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the logo_uri claim is present in the trust_mark JWT in the trust_marks parameter, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro logo_uri -x,TA-Entity Statement response TA OP-trust_mark-logo_uri-value,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the logo_uri parameter in the trust mark in the trust marks parameter of the response is an URI, not compliant otherwise ",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain a correct logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""logo_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""logo_uri""]}",The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro logo_uri -x,TA-Entity Statement response TA OP-trust_mark-organization_name,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the organization_name claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_name,The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro organization_name -x,TA-Entity Statement response TA OP-trust_mark-organization_name-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the organization_name claim is type string and has value ""public"" or ""private"", not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the correct type of organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""organization_name "": { ""type "": ย ""string "", ""enum "": [ ""private "", ย ""public ""]}}, ""required "": [ ""organization_name ""]}",The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No organization_name -x,TA-Entity Statement response TA OP-trust_mark-organization_type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the organization_type claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_type,The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro organization_type -o,TA-Entity Statement response TA OP-trust_mark-organization_type-value,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the organization_type claim is 'public' or 'private', not compliant otherwise",JWT list values,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain a correct organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark.organization_type | [""public"", ""private""]",The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro organization_type -x,TA-Entity Statement response TA OP-trust_mark-policy_uri,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the policy_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain the policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | policy_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro policy_uri -o,TA-Entity Statement response TA OP-trust_mark-policy_uri-type,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the policy_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain a correct policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""policy_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""policy_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro policy_uri -x,TA-Entity Statement response TA OP-trust_mark-ref,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the ref claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | ref,The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-trust_mark-ref-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the ref claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain an URL in the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""ref"": { ""type"": ""string"", ""format"": ""uri"" } }, ""required"": [""ref""] }",The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, -o,TA-Entity Statement response TA OP-trust_mark-sa_profile-value,Trust Mark generated for an SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the sa_profile claim is 'full' or 'light', not compliant otherwise",nested JWT parameter values,Correct Input,Entity Statement response TA OP,Does the issued intermediary Trust Mark contain a correct sa_profile claim,"A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | sa_profile | [""light"", ""full""]","In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro sa_profile -x,TA-Entity Statement response TA OP-trust_mark-service_documentation,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the service_documentation claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain the service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | service_documentation,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro service_documentation -o,TA-Entity Statement response TA OP-trust_mark-service_documentation-type,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the service_documentation claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain a correct service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""service_documentation"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""service_documentation""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro service_documentation -o,TA-Entity Statement response TA OP-trust_mark-signature,Entity statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the signature is valid, not compliant otherwise",nested JWT signature check,Correct Input,Entity Statement response TA OP,Does the TA correctly sign the issued Trust Mark,"To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | X_key_TA,The Trust Marks (TM) are signed JWT,SPID_CIE_OIDC#Trust-Marks; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed, -x,TA-Entity Statement response TA OP-trust_mark-sub,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the sub claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sub,The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-trust_mark-sub-value,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the sub claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain a correct sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""sub"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""sub""]}",The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-trust_mark-tos_uri,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the tos_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain the tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | tos_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro tos_uri -o,TA-Entity Statement response TA OP-trust_mark-tos_uri-type,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the tos_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the issued oauth_resource Trust Mark contain a correct tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""tos_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""tos_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro tos_uri -x,TA-Entity Statement response TA OP-trust_marks,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA OP,Does Entity Statements issued by the TA contain the trust_marks parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks,The trust_marks parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA OP-metadata_policy-authorization_response_iss_parameter_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the authorization_response_iss_parameter_supported parameter is present in the openid_provider type and contains the value 'one_of': ['true'], not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.authorization_response_iss_parameter_supported | {""type"": ""object"", ""properties"": {""value"": {""const"": true}}, ""required"": [""value""]}",The authorization_response_iss_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -,TA-Entity Statement response TA OP-trust_mark-iss,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iss claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain the iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-id_code-value,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_code claim is a JSON Object, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain a correct id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""id_code""]}",The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro id_code -x,TA-Entity Statement response TA OP-metadata_policy-jwks,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA OP,Does the TA's metadata policy for an OP contain the jwks parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | jwks,The jwks claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA OP-signature,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the signature is verified, not compliant otherwise",JWT signature check,Correct Input,Entity Statement response TA OP,Does the TA correctly sign the Entity statements,"In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header",TA,,Entity Statement response TA OP | body | [^\r\n]* | X_key_TA,Entity Statements must be signed,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Signature non corretta -x,TA-Entity Statement response TA OP-trust_mark-id_code,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_code claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id_code,The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro id_code -x,TA-Entity Statement response TA OP-trust_mark-iss-value,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iss claim is an URL identifying the TA, not compliant otherwise",nested JWT Check-Save to JWT,Correct Input,Entity Statement response TA OP,Does the Trust Mark contain a correct iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL",TA,Entity Configuration response TA | body | [^\r\n]* | payload | iss | valid_iss,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Active,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-trust_mark-ipa_code-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim for public organizations,nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": { ""id_code"": { ""type"": ""object"", ""properties"": {""ipa_code"": {}},""required"": [""ipa_code""]}},""required"": [""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations.,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,[ORA] Manca id_code -,TA-Entity Statement response TA RP-trust_mark-fiscal_number-or-vat_number,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the fiscal_number or vat_number claim,nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim,"In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""fiscal_number"": {}, ""vat_number"":{}},""anyOf"":[{""required"":[""fiscal_number""]},{""required"":[""vat_number""]}]}},""required"":[""id_code""]}",The vat_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the fiscal_number claim. The fiscal_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the vat_number claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,[ORA] Manca id_code -,TA-Entity Statement response TA RP-trust_mark-id-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id is 'openid_relying_party', 'openid_provider', 'intermediary' 'oauth_resource', whereas the trustmark profile is 'public' or private', not compliant otherwise",/ manual: wrong parameter,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain a correct id claim,"The id of the trust mark must have the structure ///. So in this test, an issued Trust Mark must be taken, decrypted and the value of the id claim can be one among 'openid_relying_party', 'openid_provider', 'intermediary' 'oauth_resource', whereas the trustmark profile can be 'public' or 'private'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id | openid_relying_party | openid_provider | intermediate | oauth_resource,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-trust_mark-ipa_code,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim,nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | $.id_code.ipa_code,The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,[ORA] Manca id_code -,TA-Entity Statement response TA RP-trust_mark-ipa_code-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the ipa_code in the id_code claim of a trust mark is a string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""ipa_code"": { ""type"":""string""}},""required"":[""ipa_code""]}},""required"":[""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,[ORA] Manca id_code -,TA-Entity Statement response TA RP-constraints,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the constraints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does Entity Statements issued by the TA contain the constraints parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | constraints,The constraints parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. constraints si trova in metadata_policy -,TA-Entity Statement response TA RP-exp,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the exp parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does Entity Statements issued by the TA contain the exp parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | exp,The exp parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-iat,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iat parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does Entity Statements issued by the TA contain the iat parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | iat,The iat parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-jwks,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does Entity Statements issued by the TA contain the jwks parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | jwks,The jwks parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-metadata_policy,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the metadata_policy parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does Entity Statements issued by the TA contain the metadata_policy parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy,The metadata_policy parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA RP-metadata_policy-client_registration_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the client_registration_types parameter is present in the openid_relying_party type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.client_registration_types.subset_of,The client_registration_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro client_registration_types -x,TA-Entity Statement response TA RP-metadata_policy-client_registration_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the client_registration_types parameter is present in the openid_relying_party type and contains the value 'one_of': ['automatic'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.client_registration_types.subset_of | [""automatic""]",The client_registration_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA RP-metadata_policy-grant_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the grant_types parameter inside the openid_relying_party type is present and it contains the value 'subset_of: [authorization_code, refresh_token]', not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct grant_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.grant_types.subset_of | [""authorization_code"", ""refresh_token""]",The grant_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of,The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro id_token_encrypted_response_alg -,TA-Entity Statement response TA RP-metadata_policy-response_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the response_types parameter is present in the openid_relying_party type and contains the key 'value', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct response_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.response_types.value,The response_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca response_types -,TA-Entity Statement response TA RP-metadata_policy-response_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the response_types parameter is present in the openid_relying_party type and contains the key 'value', not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct response_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.response_types.value | [""code""]",The response_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca response_types -x,TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_enc-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_enc parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of,The id_token_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro id_token_encrypted_response_enc -x,TA-Entity Statement response TA RP-metadata_policy-id_token_encrypted_response_enc-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_enc parameter is present in the openid_relying_party type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of | [""A128CBC-HS256"" , ""A256CBC-HS512""]",The id_token_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA RP-metadata_policy-id_token_signed_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_signed_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of,The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro id_token_signed_response_alg -x,TA-Entity Statement response TA RP-metadata_policy-id_token_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_signed_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of | [""RS256"" , ""RS512""]",The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA RP-metadata_policy-incorrect-id_token_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_alg parameter is present in the openid_relying_party type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant if present",JWT list parameter does not contain,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of | [""RSA_1_5""]",The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. -x,TA-Entity Statement response TA RP-metadata_policy-incorrect-id_token_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the value of id_token_signed_response_alg parameter is present in the openid_relying_party type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not compliant if present",JWT list parameter does not contain,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. -x,TA-Entity Statement response TA RP-metadata_policy-incorrect-userinfo_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_alg parameter is present in the openid_relying_party type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of | [""RSA_1_5""]",The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. -x,TA-Entity Statement response TA RP-metadata_policy-incorrect-userinfo_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_signed_response_alg parameter is present in the openid_relying_party type and the key 'subset_of' does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. -x,TA-Entity Statement response TA RP-metadata_policy-token_endpoint_auth_method-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the token_endpoint_auth_method parameter is present in the openid_relying_party type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of,The token_endpoint_auth_method claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro token_endpoint_auth_method -x,TA-Entity Statement response TA RP-metadata_policy-token_endpoint_auth_method-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the token_endpoint_auth_method parameter is present in the openid_relying_party type and contains the value 'one_of': ['private_key'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of | [""private_key""]",The token_endpoint_auth_method claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of,The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro userinfo_encrypted_response_alg -x,TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -o,TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_enc-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_enc parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of,The userinfo_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro userinfo_encrypted_response_enc -o,TA-Entity Statement response TA RP-metadata_policy-userinfo_encrypted_response_enc-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_enc parameter is present in the openid_relying_party type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of | [""A128CBC-HS256"" , ""A256CBC-HS512""]",The userinfo_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -x,TA-Entity Statement response TA RP-metadata_policy-userinfo_signed_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_signed_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of,The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro userinfo_signed_response_alg -x,TA-Entity Statement response TA RP-metadata_policy-userinfo_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_signed_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of | [""RS256"", ""RS512""]",The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto -,TA-Entity Statement response TA RP-release,TA's fetch Entity Statement Endpoint response regarding the Entity we are considering,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the TA's return the Entity Statement regarding the Entity we are considering, not compliant otherwise",HTTP parameter type,Correct Input,Entity Statement response TA RP,Does the TA correctly release the Entity statements,"After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.",TA,,Entity Statement response TA RP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),The Federation Authority or an Intermediary MUST publish the Leaf Entity Statement containing the Federation public keys of the onboarded Entity and the TMs released for it.,SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-sub,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the sub parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does Entity Statements issued by the TA contain the sub parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | sub,The sub parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-trust_mark-claims,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the claims claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain the claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | claims,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro claims -,TA-Entity Statement response TA RP-trust_mark-claims-type,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the claims claim is a list of JSON Objects, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain a correct claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""claims"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""claims""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro claims -,TA-Entity Statement response TA RP-trust_mark-email,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the email claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | email,The issued Trust Marks must have the email claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro email -,TA-Entity Statement response TA RP-trust_mark-email-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the email claim is of type string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the correct type of the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ""object "", ""properties "": { ""email "": { ""type "": ""string "", ""format "": ""email "" } }, ""required "": [ ""email ""] } ",The issued Trust Marks must have the email claim as string,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No email -,TA-Entity Statement response TA RP-trust_mark-exp,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the exp claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the exp claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | exp,The issued Trust Marks must have the exp claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro exp -x,TA-Entity Statement response TA RP-trust_mark-exp-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the exp claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the exp type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""exp"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""exp""]}",The issued Trust Marks must have the exp claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No exp -,TA-Entity Statement response TA RP-trust_mark-iat-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iat type is in UNIX Timestamp in the trust mark payload, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the correct iat type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""iat"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""iat""]}",The issued Trust Marks must have the iat claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, -,TA-Entity Statement response TA RP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iat claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the iat claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iat,The issued Trust Marks must have the iat claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-trust_mark-id,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the id claim,"The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the logo_uri claim is present in the trust_mark JWT in the trust_marks parameter, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro logo_uri -,TA-Entity Statement response TA RP-trust_mark-logo_uri-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the logo_uri parameter in the trust mark in the trust marks parameter of the response is an URI, not compliant otherwise ",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain a correct logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""logo_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""logo_uri""]}",The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro logo_uri -,TA-Entity Statement response TA RP-trust_mark-organization_name,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the organization_name claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_name,The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro organization_name -x,TA-Entity Statement response TA RP-trust_mark-organization_name-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the organization_name claim is type string and has value ""public"" or ""private"", not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the correct type of organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""organization_name "": { ""type "": ย ""string "", ""enum "": [ ""private "", ย ""public ""]}}, ""required "": [ ""organization_name ""]}",The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No organization_name -,TA-Entity Statement response TA RP-trust_mark-organization_type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the organization_type claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_type,The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro organization_type -,TA-Entity Statement response TA RP-trust_mark-organization_type-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the organization_type claim is 'public' or 'private', not compliant otherwise",JWT list values,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain a correct organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | organization_type | [""public"", ""private""]",The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro organization_type -,TA-Entity Statement response TA RP-trust_mark-policy_uri,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the policy_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain the policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | policy_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro policy_uri -,TA-Entity Statement response TA RP-trust_mark-policy_uri-type,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the policy_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain a correct policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""policy_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""policy_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro policy_uri -,TA-Entity Statement response TA RP-trust_mark-ref,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the ref claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | ref,The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA RP-trust_mark-ref-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the ref claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain an URL in the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""ref"": { ""type"": ""string"", ""format"": ""uri"" } }, ""required"": [""ref""] }",The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, -,TA-Entity Statement response TA RP-trust_mark-sa_profile-value,Trust Mark generated for an SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the sa_profile claim is 'full' or 'light', not compliant otherwise",nested JWT parameter values,Correct Input,Entity Statement response TA RP,Does the issued intermediary Trust Mark contain a correct sa_profile claim,"A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | sa_profile | [""light"", ""full""]","In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro sa_profile -,TA-Entity Statement response TA RP-trust_mark-service_documentation,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the service_documentation claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain the service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | service_documentation,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro service_documentation -,TA-Entity Statement response TA RP-trust_mark-service_documentation-type,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the service_documentation claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain a correct service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""service_documentation"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""service_documentation""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro service_documentation -,TA-Entity Statement response TA RP-trust_mark-signature,Entity statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the signature is valid, not compliant otherwise",nested JWT signature check,Correct Input,Entity Statement response TA RP,Does the TA correctly sign the issued Trust Mark,"To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | X_key_TA,The Trust Marks (TM) are signed JWT,SPID_CIE_OIDC#Trust-Marks; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed, -,TA-Entity Statement response TA RP-trust_mark-sub,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the sub claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sub,The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-trust_mark-sub-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the sub claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain a correct sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""sub"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""sub""]}",The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-trust_mark-tos_uri,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the tos_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain the tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | tos_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro tos_uri -,TA-Entity Statement response TA RP-trust_mark-tos_uri-type,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the tos_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the issued oauth_resource Trust Mark contain a correct tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""tos_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""tos_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro tos_uri -,TA-Entity Statement response TA RP-trust_marks,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does Entity Statements issued by the TA contain the trust_marks parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks,The trust_marks parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-id_code-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_code claim is a JSON Object, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain a correct id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""id_code""]}",The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro id_code -x,TA-Entity Statement response TA RP-metadata_policy-grant_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the grant_types parameter inside the openid_relying_party type is present and it contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain a correct grant_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | .metadata_policy.openid_relying_party.grant_types | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The grant_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca superset_of -x,TA-Entity Statement response TA RP-metadata_policy-jwks,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the jwks parameter is present inside the openid_relying_party type of the metadata_policy, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the TA's metadata policy for an RP contain the jwks parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | jwks,The jwks claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -,TA-Entity Statement response TA RP-signature,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the signature is verified, not compliant otherwise",JWT signature check,Correct Input,Entity Statement response TA RP,Does the TA correctly sign the Entity statements,"In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header",TA,,Entity Statement response TA RP | body | [^\r\n]* | X_key_TA,Entity Statements must be signed,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Signature non corretta -,TA-Entity Statement response TA RP-trust_mark-id_code,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_code claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id_code,The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro id_code -x,TA-Entity Statement response TA RP-iss,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iss parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response TA RP,Does Entity Statement issued by the TA contain the iss parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | iss,The iss parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA RP-trust_mark-iss,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iss claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain the iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA RP-trust_mark-iss-value,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iss claim is an URL identifying the TA, not compliant otherwise",nested JWT Check-Save to JWT,Correct Input,Entity Statement response TA RP,Does the Trust Mark contain a correct iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL",TA,Entity Configuration response TA | body | [^\r\n]* | payload | iss | valid_iss,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Active,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,TA-Entity Statement response TA SA-trust_mark-sa_profile,Trust Mark generated for an SA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the sa_profile claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response TA SA,Does the issued intermediary Trust Mark contain the sa_profile claim,"A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sa_profile,"In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Non supportato,N_A,N_A,not_applicable,Manca parametro sa_profile -x,TA-Entity Statement response TA SA-metadata_policy-client_registration_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the client_registration_types parameter is present in the intermediary type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.client_registration_types.subset_of,The client_registration_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-client_registration_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the client_registration_types parameter is present in the intermediary type and contains the value 'one_of': ['automatic'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.client_registration_types.subset_of | [""automatic""]",The client_registration_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-grant_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the grant_types parameter is present in the intermediary type and it contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct grant_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | .metadata_policy.intermediary.grant_types | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of""], [""superset_of""]}",The grant_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,From the trust marks table I assumed the correct type is intermediary,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -,TA-Entity Statement response TA SA-metadata_policy-response_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if theresponse_types parameter is present in the intermediary type and it contains the key 'value', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct response_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.response_types.value,The response_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,From the trust marks table I assumed the correct type is intermediary,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -,TA-Entity Statement response TA SA-metadata_policy-response_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if theresponse_types parameter is present in the intermediary type and it contains the key 'value', not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct response_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.response_types.value | [""code""]",The response_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,From the trust marks table I assumed the correct type is intermediary,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-grant_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the grant_types parameter is present in the intermediary type and it contains the value 'subset_of: [authorization_code, refresh_token]', not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct grant_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.grant_types.subset_of | [""authorization_code"", ""refresh_token]",The grant_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,From the trust marks table I assumed the correct type is intermediary,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_encrypted_response_alg parameter is present in the intermediary type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encrypted_response_alg.one_of,The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_encrypted_response_alg parameter is present in the intermediary type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encrypted_response_alg.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_enc-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_encrypted_response_enc parameter is present in the intermediary type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encrypted_response_enc.one_of,The id_token_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-id_token_encrypted_response_enc-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_encrypted_response_enc parameter is present in the intermediary type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encrypted_response_enc.one_of | [""A128CBC-HS256"", ""A256CBC-HS512""]",The id_token_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-id_token_signed_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_signed_response_alg parameter is present in the intermediary type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_signed_response_alg.one_of,The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,OP-Token response-id_token-payload-nbf,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the nbf claim, not Compliant otherwise",/ not to do,Correct Input,Token response,Does the issued JWT ID Token contain the 'nbf' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nbf' parameter in the Payload is checked.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | nbf",The JWT ID Token Payload requires the nbf parameter and it has to be equal to iat,External: solo SPID | SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,,,,,,,,,,FALSE,x,,,,,,,Manca parametro nbf,, -x,TA-Entity Statement response TA SA-metadata_policy-id_token_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_signed_response_alg parameter is present in the intermediary type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_signed_response_alg.one_of | [""RS256"", ""RS512""]",The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-incorrect-id_token_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_encrypted_response_alg parameter is present in the intermediary type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encrypted_response_alg.one_of | [""RSA_1_5""]",The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-incorrect-id_token_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_signed_response_alg parameter is present in the intermediary type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not Compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_signed_response_alg.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-incorrect-userinfo_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_encrypted_response_alg parameter is present in the intermediary type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of | [""RSA_1_5""]",The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-incorrect-userinfo_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_signed_response_alg parameter is present in the intermediary type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signed_response_alg.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-token_endpoint_auth_method-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the token_endpoint_auth_method parameter is present in the intermediary type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.token_endpoint_auth_method.one_of,The token_endpoint_auth_method claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-token_endpoint_auth_method-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the token_endpoint_auth_method parameter is present in the intermediary type and contains the value 'one_of': ['private_key'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.token_endpoint_auth_method.one_of | [""private_key""]",The token_endpoint_auth_method claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_encrypted_response_alg parameter is present in the intermediary type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of,The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_encrypted_response_alg parameter is present in the intermediary type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_enc-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_encrypted_response_enc parameter is present in the intermediary type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of,The userinfo_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-userinfo_encrypted_response_enc-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_encrypted_response_enc parameter is present in the intermediary type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of | [""A128CBC-HS256"", ""A256CBC-HS512""]",The userinfo_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-userinfo_signed_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_signed_response_alg parameter is present in the intermediary type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signed_response_alg.one_of,The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,TA-Entity Statement response TA SA-metadata_policy-userinfo_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_signed_response_alg parameter is present in the intermediary type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response TA SA,Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signed_response_alg.one_of | [""RS256"", ""RS512""]",The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA -x,SA-Fetch Entity Statement response SA RP-exposed,Fetch Entity Statement Endpoint endpoint response,Fetch Entity Statement response SA RP,Trigger Fetch Entity Statement response SA RP,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Fetch Entity Statement response SA RP,Does the Entity expose the fetch entity statement endpoint,"In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.",SA,,Fetch Entity Statement response SA RP | body | [^\r\n]*.^([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the fetch entity statement endpoint. It returns the ESs regarding a direct subordinate subject. For obtaining the ES of an Entity, at least its Entity identifier is needed",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,TA-Fetch Entity Statement response TA OP-exposed,Fetch Entity Statement Endpoint endpoint response,Fetch Entity Statement response TA OP,Trigger Fetch Entity Statement response TA OP,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Fetch Entity Statement response TA OP,Does the Entity expose the fetch entity statement endpoint,"In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.",TA,,Fetch Entity Statement response TA OP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the fetch entity statement endpoint. It returns the ESs regarding a direct subordinate subject. For obtaining the ES of an Entity, at least its Entity identifier is needed",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Fetch Entity Statement response TA OP -,TA-Fetch Entity Statement response TA RP-exposed,Fetch Entity Statement Endpoint endpoint response,Fetch Entity Statement response TA RP,Trigger Fetch Entity Statement response TA RP,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Fetch Entity Statement response TA RP,Does the Entity expose the fetch entity statement endpoint,"In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.",TA,,Fetch Entity Statement response TA RP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the fetch entity statement endpoint. It returns the ESs regarding a direct subordinate subject. For obtaining the ES of an Entity, at least its Entity identifier is needed",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Fetch Entity Statement response TA RP -x,RP-Introspection request-client_assertion,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_assertion parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request contain the client_assertion,The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.,RP,,Introspection request | body | client_assertion,The request to the Introspection Endpoint must contain the client_assertion parameter and it has to be a JWT signed with the RP's private key,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, -x,RP-Introspection request-client_assertion_type,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_assertion_type parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request contain the client_assertion_type,The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.,RP,,Introspection request | body | client_assertion_type,The request to the Introspection Endpoint must contain the client_assertion_type parameter and it has to be set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, -x,RP-Introspection request-client_assertion_type-type,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_assertion_type parameter in the request is urn:ietf:params:oauth:clientassertion-type:jwt-bearer, not compliant otherwise",HTTP parameter value,Correct Input,Introspection request,Does the Introspection Request contain correct type of client_assertion_type,The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer,RP,,Introspection request | body | client_assertion_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer,The request to the Introspection Endpoint must contain the client_assertion_type parameter and it has to be set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, -x,RP-Introspection request-client_assertion-type,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_assertion parameter in the request is a signed JWT, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request contain the client_assertion as a valid JWT,The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure,RP,,Introspection request | body | client_assertion,The request to the Introspection Endpoint must contain the client_assertion parameter and it has to be a JWT signed with the RP's private key,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, -x,RP-Introspection request-client_id,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_id parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request contain the client id of the RP making the request,The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.,RP,,Introspection request | body | client_id,The request to the Introspection Endpoint must contain the client_id parameter and it has to be an URI identifying the RP,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, -x,RP-Introspection request-client_id-type,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_id parameter in the request is an URI, not compliant otherwise",JSON parameter type,Correct Input,Introspection request,Does the Introspection Request contain correct type of client id of the RP making the request,The Introspection request made by the RP is taken and the value of the client_id parameter is an URI,RP,,"Introspection request | body | | {""type"":""object"", ""properties"":{""client_id"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""client_id""]}",The request to the Introspection Endpoint must contain the client_id parameter and it has to be an URI identifying the RP,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,URL รจ HTTP non HTTPS -x,RP-Introspection request-client_id-value,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_id parameter in the request identifies the RP, not compliant otherwise",HTTP parameter value,Correct Input,Introspection request,Does the Introspection Request contain correct client id of the RP making the request,The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP,RP,,Introspection request | body | client_id | X_url_RP,The request to the Introspection Endpoint must contain the client_id parameter and it has to be an URI identifying the RP,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, -x,RP-Introspection request-token,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the token parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request contain the token,The Introspection request made by the RP is taken and the presence of the token parameter is checked.,RP,,Introspection request | body | token,The request to the Introspection Endpoint must contain the token for which the request is made,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, -x,RP-Introspection request-token-type,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the token parameter in the request is a valid JWT, not compliant otherwise",HTTP parameter type,Correct Input,Introspection request,Does the Introspection Request contain correct type token,The Introspection request made by the RP is taken and the type of the token parameter is a JWT,RP,,Introspection request | body | token=([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*)(?:&|$),The request to the Introspection Endpoint must contain the token for which the request is made,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, -o,RP-Introspection request-method-correct,Introspection Request,Introspection request,Trigger Introspection request,"Compliant if the introspection request is sent via HTTP POST, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request use HTTP POST,The Introspection request made by the RP use HTTP POST,RP,,Introspection request | url | POST,The request to the Introspection Endpoint must use HTTP POST,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,L,Incorrect handling,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, -x,OP-Introspection response-empty-iss-client-assertion,Introspection response to a request with a client assertion with emtpy iss,Introspection response to a request with a client assertion without the iss parameter,Introspection request with a client assertion without the iss parameter,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Introspection response,Does the OP verify the presence of iss of the client_assertion in the Introspection request,"Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter",OP,Introspection request | body | (?<=client_assertion=)([^&]+) | payload | iss | | X_key_core_RP,Introspection response | head | 400 | head | invalid_request,The OP must test the validity of all the fields that are present in the JWT contained in the client assertion,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,Ritorna 403 x,OP-Introspection response-empty-aud-client-assertion,Introspection response to a request with a client assertion with emtpy aud,Introspection response to a request with a client assertion with emtpy aud,Introspection request with a client assertion without the aud parameter,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Introspection response,Does the OP verify the presence of aud of the client_assertion in the Introspection request,"Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter",OP,Introspection request | body | (?<=client_assertion=)([^&]+) | payload | aud[0] | | X_key_core_RP,Introspection response | head | 400 | head | invalid_request,The OP must test the validity of all the fields that are present in the JWT contained in the client assertion,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 x,OP-Introspection response-empty-exp-client-assertion,Introspection response to a request with a client assertion with emtpy exp,Introspection response to a request with a client assertion with empty exp,Introspection request with a client assertion without the exp parameter,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Introspection response,Does the OP verify the presence of exp of the client_assertion in the Introspection request,"Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter",OP,Introspection request | body | (?<=client_assertion=)([^&]+) | payload | exp | | X_key_core_RP,Introspection response | head | 400 | head | invalid_request,The OP must test the validity of all the fields that are present in the JWT contained in the client assertion,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,Ritorna 403 x,OP-Introspection response-empty-iat-client-assertion,Introspection response to a request with a client assertion with emtpy iat,Introspection response to a request with a client assertion with emtpy iat,Introspection request with a client assertion without the iat parameter,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Introspection response,Does the OP verify the presence of iat of the client_assertion in the Introspection request,"Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter",OP,Introspection request | body | (?<=client_assertion=)([^&]+) | payload | iat | | X_key_core_RP,Introspection response | head | 400 | head | invalid_request,The OP must test the validity of all the fields that are present in the JWT contained in the client assertion,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[PRIMA] Ritorna 403 -x,OP-Introspection response-missing-client_assertion,Introspection response to a request without the client assertion,Introspection response to a request without the client assertion,Introspection request without the client assertion JWT in the client_assertion parameter,"Compliant if the Introspection response is an HTTP 401 because of invalid_client, not compliant otherwise",Param Response,Wrong Input,Introspection response,Does the OP accept introspection requests without the client assertion,A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed,OP,Introspection request | body | (?<=client_assertion=)([^&]+) | ,Introspection response | head | 401 | body | invalid_client,The request to the Introspection Endpoint must contain the client_assertion parameter and it has to be a JWT signed with the RP's private key,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Introspection request, no client assertion",,,,,,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 invalid_request +x,OP-Introspection response-empty-iss-client-assertion,Introspection response to a request with a client assertion with emtpy iss,Introspection response to a request with a client assertion without the iss parameter,Introspection request with a client assertion without the iss parameter,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Introspection response,Does the OP verify the presence of iss of the client_assertion in the Introspection request,"Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter",OP,Introspection request | body | (?<=client_assertion=)([^&]+) | payload | iss | | X_key_core_RP,Introspection response | head | 400 | head | invalid_request,The OP must test the validity of all the fields that are present in the JWT contained in the client assertion,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,Ritorna 403 x,OP-Introspection response-empty-jti-client-assertion,Introspection response to a request with a client assertion with emtpy jti,Introspection response to a request with a client assertion with emtpy jti,Introspection request with a client assertion without the jti parameter,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Introspection response,Does the OP verify the presence of jti of the client_assertion in the Introspection request,"Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter",OP,Introspection request | body | (?<=client_assertion=)([^&]+) | payload | jti | | X_key_core_RP,Introspection response | head | 400 | head | invalid_request,The OP must test the validity of all the fields that are present in the JWT contained in the client assertion,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 - active: true x,OP-Introspection response-empty-sub-client-assertion,Introspection response to a request with a client assertion with emtpy sub,Introspection response to a request with a client assertion with emtpy sub,Introspection request with a client assertion without the sub parameter,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Introspection response,Does the OP verify the presence of sub of the client_assertion in the Introspection request,"Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter",OP,Introspection request | body | (?<=client_assertion=)([^&]+) | payload | sub | | X_key_core_RP,Introspection response | head | 400 | head | invalid_request,The OP must test the validity of all the fields that are present in the JWT contained in the client assertion,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 +x,OP-Introspection response-missing-client_assertion,Introspection response to a request without the client assertion,Introspection response to a request without the client assertion,Introspection request without the client assertion JWT in the client_assertion parameter,"Compliant if the Introspection response is an HTTP 401 because of invalid_client, not compliant otherwise",Param Response,Wrong Input,Introspection response,Does the OP accept introspection requests without the client assertion,A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed,OP,Introspection request | body | (?<=client_assertion=)([^&]+) | ,Introspection response | head | 401 | body | invalid_client,The request to the Introspection Endpoint must contain the client_assertion parameter and it has to be a JWT signed with the RP's private key,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Introspection request, no client assertion",,,,,,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 invalid_request x,OP-Introspection response-missing-client_assertion_type,Introspection response to a request without the client assertion type,Introspection response to a request without the client assertion type,Introspection request without the client_assertion_type type parameter in the body,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Introspection response,Does the OP accept introspection requests without the client assertion type,An introspection request without the client_assertion_type parameter is sent and the response analyzed,OP,Introspection request | body | (?<=client_assertion_type=)([^&]+) | ,Introspection response | head | 400 | body | invalid_request,The request to the Introspection Endpoint must contain the client_assertion_type parameter and it has to be set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Introspection request, no client_assertion_type",,,,,TRUE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, x,OP-Introspection response-missing-client_id,Introspection Response to a Request without the client id,Introspection Response to a Request without the client id,Introspection request without the client_id parameter in the body,"Compliant if the Introspection response is an HTTP 401 because of invalid_client, not compliant otherwise",Param Response,Wrong Input,Introspection response,Does the OP accept introspection requests without the client id,"To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.",OP,Introspection request | body | (?<=client_id=)([^&]+) | ,Introspection response | head | 401 | body | invalid_client,The OP must check that the client_id in the Introspection Request is known inside the Federation.,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Introspection request, no client_id, test_introspection_endpoint_validation_error",,,,,,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 invalid_request o,OP-Introspection response-missing-token,Introspection response to a request without the token,Introspection response to a request without the token,Introspection request without the token parameter in the body,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Introspection response,How does the OP behave when receiving an introspection request without the token,An introspection request without a token is sent and the introspection response analyzed,OP,Introspection request | body | (?<=token=)([^&]+) | ,Introspection response | head | 400 | body | invalid_request,The request to the Introspection Endpoint must contain the token for which the request is made,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Introspection request, no token",,,,,,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, +x,OP-Introspection response-token-active-presence,Introspection Response to a Request with a valid token,Introspection Response to a Request with a valid token,Introspection request with valid token in the token parameter,"Compliant if the Introspection Response is a JSON Object with only an 'active' parameter, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection response,Does the Introspection Endpoint Response have the active parameter,"To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter",OP,,Introspection response | body | active,"If the token is expired, it has been revoked or it has never been issued for the calling client_id, the Introspection Endpoint must return false. Otherwise it returns true",SPID_CIE_OIDC#Introspection-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#response,OIDC Core,Active,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, +x,OP-Introspection response-token-active-value,Introspection Response to a Request with a valid token,Introspection Response to a Request with a valid token,Introspection request with valid token in the token parameter,"Compliant if the Introspection Response is a JSON Object with only an 'active' parameter set to true, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection response,Does the Introspection Endpoint returns true on active tokens,"To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed",OP,,"Introspection response | body | ""active"": true","If the token is expired, it has been revoked or it has never been issued for the calling client_id, the Introspection Endpoint must return false. Otherwise it returns true",SPID_CIE_OIDC#Introspection-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#response,OIDC Core,Active,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, +x,OP-Introspection response-token-expired,Introspection Request with an expired token,Introspection Request with an expired token,Introspection Request with an expired token,"Compliant if the Introspection Response's body is a JSON Object with only an 'active' parameter set to false, not compliant otherwise",/ manual: check flow,Correct Input,Introspection response,Does the Introspection Endpoint returns false on expired tokens,"To test that the Introspection response of the OP's correctly identifies expired tokens, an expired one is sent and the response is analyzed",OP,,,"If the token is expired, it has been revoked or it has never been issued for the calling client_id, the Introspection Endpoint must return false. Otherwise it returns true",SPID_CIE_OIDC#Introspection-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#response,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 500 +x,OP-Introspection response-token-wrong-RP,Introspection Request with a token issued for another client,Introspection response to a request with a token issued for another client,Introspection Request with a token that does not belong to the RP making the request,"Compliant if the Introspection Response is a JSON Object with only an 'active' parameter set to false, not compliant otherwise",/ manual: check flow,Wrong Input,Introspection response,Does the Introspection Endpoint returns false on tokens that do not belong to the RP,"To test that the Introspection response of the OP's correctly identifies tokens that do not belong to the RP making the request, a token issued for another RP is sent by a different RP and the response is analyzed",OP,,,"If the token is expired, it has been revoked or it has never been issued for the calling client_id, the Introspection Endpoint must return false. Otherwise it returns true",SPID_CIE_OIDC#Introspection-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#response,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 o,OP-Introspection response-wrong-client_assertion_type,Introspection response to a request with a wrong client assertion type (not set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer),Introspection response to a request with a wrong client assertion type (not set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer),Introspection request with a wrong client_assertion_type parameter in the body,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Introspection response,Does the OP accept introspection requests with a wrong client assertion type,An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed,OP,Introspection request | body | (?<=client_assertion_type=)([^&]+) | X_wrong_value,Introspection response | head | 400 | body | invalid_request,The request to the Introspection Endpoint must contain the client_assertion_type parameter and it has to be set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, x,OP-Introspection response-wrong-client_id,Introspection Response to a Request with a wrong client id,Introspection Response to a Request with a wrong client id,Introspection request with a wrong the client_id parameter in the body,"Compliant if the Introspection response is an HTTP 401 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Introspection response,Does the OP verify the client id of the Introspection Request,"To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.",OP,Introspection request | body | (?<=client_id=)([^&]+) | https://www.example.com/,Introspection response | head | 401 | body | invalid_client,The OP must check that the client_id in the Introspection Request is known inside the Federation.,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Introspection request, no correct client_id",,,,,TRUE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 x,OP-Introspection response-wrong-client-assertion,Introspection response to a request with a client assertion with wrong parameters in the JWT,Introspection response to a request with a client assertion with wrong parameters in the JWT,Introspection request with a client assertion with a wrong parameter in the JWT,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Introspection response,Does the OP verify the parameters of the client assertion in the Introspection request,"Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.",OP,Introspection request | body | (?<=client_assertion=)([^&]+) | X_wrong_value,Introspection response | head | 400 | body | invalid_request,"The OP must test the validity of all the fields that are present in the JWT contained in the client assertion, plus the validity of its signature, with respect to the parameter client_id",SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Introspection request, no correct client_assertion",,,,,TRUE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, @@ -660,24 +235,9 @@ x,OP-Introspection response-wrong-iat-client-assertion,Introspection response to x,OP-Introspection response-wrong-signature-client-assertion,Introspection response to a request with a client assertion with wrong signature,Introspection response to a request with a client assertion with wrong signature,Introspection request with a client assertion in the body with wrong signature,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",Signature JWT Response,Wrong Input,Introspection response,Does the OP verify the signature of the client assertion in the Introspection request,"Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.",OP,Introspection request | body | (?<=client_assertion=)([^&]+) | X_wrong_key,Introspection response | head | 400 | body | invalid_request,"The OP must test the validity of all the fields that are present in the JWT contained in the client assertion, plus the validity of its signature, with respect to the parameter client_id",SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,L,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 x,OP-Introspection response-wrong-sub-client-assertion,Introspection response to a request with a client assertion with wrong value of sub,Introspection response to a request with a client assertion with wrong value of sub,Introspection request with a client assertion with value of sub different to the one in the iss parameter,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Introspection response,Does the OP verify the value of iss of the client_assertion in the Introspection request,"Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter",OP,Introspection request | body | (?<=client_assertion=)([^&]+) | payload | sub | example | X_key_core_RP,Introspection response | head | 400 | head | invalid_request,The OP must test the validity of all the fields that are present in the JWT contained in the client assertion,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 o,OP-Introspection response-wrong-token,Introspection response to a request with a token not valid,Introspection response to a request with a token not valid,Introspection request with a wrong the token parameter in the body,"Compliant if the Introspection response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Introspection response,How does the OP behave when receiving an introspection request with a wrong token,An introspection request with a token not valid is sent and the introspection response analyzed,OP,Introspection request | body | (?<=token=)([^&]+) | X_not_valid_tkn,Introspection response | head | 400 | body | invalid_request,The request to the Introspection Endpoint must contain the token for which the request is made,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"Introspection request, no correct_token",,,,,,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, -x,OP-Introspection response-token-active-presence,Introspection Response to a Request with a valid token,Introspection Response to a Request with a valid token,Introspection request with valid token in the token parameter,"Compliant if the Introspection Response is a JSON Object with only an 'active' parameter, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection response,Does the Introspection Endpoint Response have the active parameter,"To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter",OP,,Introspection response | body | active,"If the token is expired, it has been revoked or it has never been issued for the calling client_id, the Introspection Endpoint must return false. Otherwise it returns true",SPID_CIE_OIDC#Introspection-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#response,OIDC Core,Active,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, -x,OP-Introspection response-token-active-value,Introspection Response to a Request with a valid token,Introspection Response to a Request with a valid token,Introspection request with valid token in the token parameter,"Compliant if the Introspection Response is a JSON Object with only an 'active' parameter set to true, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection response,Does the Introspection Endpoint returns true on active tokens,"To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed",OP,,"Introspection response | body | ""active"": true","If the token is expired, it has been revoked or it has never been issued for the calling client_id, the Introspection Endpoint must return false. Otherwise it returns true",SPID_CIE_OIDC#Introspection-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#response,OIDC Core,Active,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, -x,OP-Introspection response-token-expired,Introspection Request with an expired token,Introspection Request with an expired token,Introspection Request with an expired token,"Compliant if the Introspection Response's body is a JSON Object with only an 'active' parameter set to false, not compliant otherwise",/ manual: check flow,Correct Input,Introspection response,Does the Introspection Endpoint returns false on expired tokens,"To test that the Introspection response of the OP's correctly identifies expired tokens, an expired one is sent and the response is analyzed",OP,,,"If the token is expired, it has been revoked or it has never been issued for the calling client_id, the Introspection Endpoint must return false. Otherwise it returns true",SPID_CIE_OIDC#Introspection-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#response,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 500 -x,OP-Introspection response-token-wrong-RP,Introspection Request with a token issued for another client,Introspection response to a request with a token issued for another client,Introspection Request with a token that does not belong to the RP making the request,"Compliant if the Introspection Response is a JSON Object with only an 'active' parameter set to false, not compliant otherwise",/ manual: check flow,Wrong Input,Introspection response,Does the Introspection Endpoint returns false on tokens that do not belong to the RP,"To test that the Introspection response of the OP's correctly identifies tokens that do not belong to the RP making the request, a token issued for another RP is sent by a different RP and the response is analyzed",OP,,,"If the token is expired, it has been revoked or it has never been issued for the calling client_id, the Introspection Endpoint must return false. Otherwise it returns true",SPID_CIE_OIDC#Introspection-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#response,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 -x,TA-Public Keys History response-published,TA's public keys history response,TA's public keys history response,Trigger Public Keys History response,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Public Keys History response,Does the TA publish the federation public key history,An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed,TA,,"Public Keys History response | body | \[\s*""[^""]*""(?:,\s*""[^""]*"")*\s*\]$","In order to enable the verification of messages exchanged by Entities participating in the federation and their Trust Chains, the TA MUST publish the federation public key history (JWKS) within a registry made available to all participants via the /.well-known/openid-federation-jwks endpoint.",SPID_CIE_OIDC#Retention-Policy; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/log_management.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Public Keys History response -x,ALL-Resolve Entity Statement endpoint response-exposed,Resolve Entity Statement endpoint response,Resolve Entity Statement endpoint response,Trigger Resolve Entity Statement endpoint response,"Compliant if the Response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Resolve Entity Statement endpoint response,Does the Entity expose the resolve entity statement endpoint,"In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.",ALL,,"Resolve Entity Statement response | body | [\s*""[^""]*""(?:,\s*""[^""]*"")*\s*\]$","All the Entities MUST contain the resolve entity statement endpoint. It gives the final Metadata, the Trust Chain and the Trust Marks regarding another subject.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Resolve Entity Statement response o,OP-Revocation request-assertion-signature,Revocation Request's client assertion with a wrong signature of the JWT,Revocation request,Revocation Request with a client assertion in the body with a wrong signature,"Compliant if the Revocation response is an HTTP 400 because of invalid_request, not compliant otherwise",Signature JWT Response,Wrong Input,Revocation request,Does the OP verify the signature of the client assertion in the Revocation request,"Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.",OP,Revocation request | body | (?<=client_assertion=)([^&]+) | X_wrong_key,Revocation response | head | 400 | body | invalid_request,"The OP must test the validity of all the fields that are present in the JWT contained in the client assertion, plus the validity of its signature, with respect to the parameter client_id",SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Revocation request-token-absence,Revocation Request without token,Revocation request,Trigger Revocation Request without token,"Compliant if the Revocation response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Revocation request,Does the OP verify the presence of token in the Revocation request,"Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.",OP,Revocation request | body | (?<=token=)([^&]+) | ,Revocation response | head | 400 | body | invalid_request,The OP must test the validity of all the fields that are present in the revocation request,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, o,OP-Revocation request-method,Revocation Request,Revocation request,Trigger Revocation Request,"Compliant if the Revocation request is in HTTP POST, not compliant otherwise",HTTP parameter presence,Correct Input,Revocation request,Does the OP verify the HTTP method of the Revocation request,The revocation request must be sent via HTTP POST,OP,,Revocation request | url | POST,The OP must test the HTTP method in the revocation request,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,M,Mismatch of parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,RP-Revocation request-client_assertion,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the client_assertion parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Revocation request,Does the Revocation Request contain the client assertion,The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.,RP,,Revocation request | body | client_assertion,The request to the Revocation Endpoint must contain the client_assertion parameter and it has to be a JWT signed with the RP's private key,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,RP-Revocation request-client_assertion_type,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the client_assertion_type parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Revocation request,Does the Revocation Request contain the client_assertion_type,The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.,RP,,Revocation request | body | client_assertion_type,The request to the Revocation Endpoint must contain the client_assertion_type parameter and it has to be set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,RP-Revocation request-client_assertion_type-value,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the client_assertion_type parameter in the request is urn:ietf:params:oauth:clientassertion-type:jwt-bearer, not compliant otherwise",HTTP parameter value,Correct Input,Revocation request,Does the Revocation Request contain correct client_assertion_type,The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer,RP,,Revocation request | body | client_assertion_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer,The request to the Revocation Endpoint must contain the client_assertion_type parameter and it has to be set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,RP-Revocation request-client_assertion-type,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the client_assertion parameter in the request is a valid JWT, not compliant otherwise",HTTP parameter type,Correct Input,Revocation request,Does the Revocation Request contain correct type of client assertion,The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure,RP,,Revocation request | body | client_assertion=([\w]+)\.([\w]+)\.([\w\-]*)(?:&|$),The request to the Revocation Endpoint must contain the client_assertion parameter and it has to be a JWT signed with the RP's private key,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,RP-Revocation request-client_id,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the client_id parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Revocation request,Does the Revocation Request contain the client_id of the RP making the request,The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.,RP,,Revocation request | body | client_id,The request to the Revocation Endpoint must contain the client_id parameter and it has to be an URI identifying the RP,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,Is revocation bound to a specific client (IsBoundToClient),,,,,,,TRUE,,,no,"[""s1""]",E,,P,P,passed, -x,RP-Revocation request-client_id-different-value,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the Revocation response is an HTTP 401 because of invalid_client, not compliant otherwise",Param Response,Wrong Input,Revocation request,Does the Revocation Request contain correct client_id of the RP making the request,The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP,RP,Revocation request | body | (?<=client_id=)([^&]+) | https://example.com,Revocation response | head | 401 | body | invalid_client,The request to the Revocation Endpoint must contain the client_id parameter and it has to be an URI identifying the RP,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Is revocation bound to a specific client (IsBoundToClient),,,,,,,TRUE,,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 invalid_request -x,RP-Revocation request-client_id-value,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the client_id parameter in the request is an URI, not compliant otherwise",JSON parameter type,Correct Input,Revocation request,Does the Revocation Request contain correct type of client_id of the RP making the request,The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP,RP,,"Revocation request | body | | {""type"":""object"", ""properties"":{""client_id"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""client_id""]}",The request to the Revocation Endpoint must contain the client_id parameter and it has to be an URI identifying the RP,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,Is revocation bound to a specific client (IsBoundToClient),,,,,,,TRUE,,,no,"[""s1""]",E,Problema implementazione,F,F,failed,URL รจ HTTP non HTTPS -x,RP-Revocation request-token,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the token parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Revocation request,Does the Revocation Request contain the token for which the request is made,The Revocation request made by the RP is taken and the presence of the token parameter is checked.,RP,,Revocation request | body | token,The request to the Revocation Endpoint must contain the token for which the request is made,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,RP-Revocation request-token-type,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the token parameter in the request is a valid JWT, not compliant otherwise",HTTP parameter type,Correct Input,Revocation request,Does the Revocation Request contain correct type of token for which the request is made,The Revocation request made by the RP is taken and the value of the token parameter is a JWT.,RP,,Revocation request | body | token=([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*)(?:&|$),The request to the Revocation Endpoint must contain the token for which the request is made,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,OP-Revocation request-token-absence,Revocation Request without token,Revocation request,Trigger Revocation Request without token,"Compliant if the Revocation response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Revocation request,Does the OP verify the presence of token in the Revocation request,"Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.",OP,Revocation request | body | (?<=token=)([^&]+) | ,Revocation response | head | 400 | body | invalid_request,The OP must test the validity of all the fields that are present in the revocation request,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, o,OP-Revocation response-client_assertion-aud-empty,Revocation request,Revocation response to a request without aud in client_assertion,Revocation request without aud in client_assertion,Compliant if the revocation response is an HTTP 400 because invalid_request. Not Compliant otherwise,JWT Response,Wrong Input,Revocation response,Does the OP refuse revocation requests without the aud parameter in the client_assertion,A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it,OP,Revocation request | body | (?<=client_assertion=)([^&]+) | payload | aud | | X_key_core_RP,Revocation response | head | 400 | body | invalid_request,An RP doing a Revocation Request must insert aud in the client_assertion,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, o,OP-Revocation response-client_assertion-aud-wrong,Revocation request,Revocation response to a request with wrong aud in client_assertion,Revocation request with wrong aud in client_assertion,Compliant if the revocation response is an HTTP 400 because invalid_request. Not Compliant otherwise,JWT Response,Wrong Input,Revocation response,Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion,A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it,OP,Revocation request | body | (?<=client_assertion=)([^&]+) | payload | aud | abc | X_key_core_RP,Revocation response | head | 400 | body | invalid_request,An RP doing a Revocation Request must insert aud in the client_assertion,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, o,OP-Revocation response-client_assertion-exp-empty,Revocation request,Revocation response to a request without exp in client_assertion,Revocation request without exp in client_assertion,Compliant if the revocation response is an HTTP 400 because invalid_request. Not Compliant otherwise,JWT Response,Wrong Input,Revocation response,Does the OP refuse revocation requests without the exp parameter in the client_assertion,A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it,OP,Revocation request | body | (?<=client_assertion=)([^&]+) | payload | exp | | X_key_core_RP,Revocation response | head | 400 | body | invalid_request,An RP doing a Revocation Request must insert exp in the client_assertion,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Ritorna 200 @@ -697,142 +257,9 @@ o,OP-Revocation response-missing-client_assertion_type,Revocation response to a x,OP-Revocation response-missing-client_id,Revocation response to a Request without the client id,Revocation response to a Request without the client id,Revocation request without the client_id parameter in the body ,"Compliant if the Revocation response is an HTTP 401 because of invalid_client, not compliant otherwise",Param Response,Wrong Input,Revocation response,Does the OP accept Revocation Requests without the client id,"To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.",OP,Revocation request | body | (?<=client_id=)([^&]+) | ,Revocation response | head | 401 | body | invalid_client,The OP must check that the client_id in the Revocation Request is known inside the Federation.,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,REVOCATION_REQUEST_NO_CLIENT_ID,,,,,,,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 invalid_request x,OP-Revocation response-non-existing-token,Revocation Response to a Request containing a non-existing access token,Revocation Response to a Request containing a non-existing access token,Revocation request with a non-existing token,"Compliant if the response is an HTTP 200 OK response, not compliant otherwise",Param Status,Correct Input,Revocation response,Does the OP's revocation endpoint answer correctly when a non-existing token is provided,A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed,OP,Revocation request | body | (?<=token=)([^&]+) | 123.123.123,Revocation response | head | 200,"The Revocation Endpoint answers with a code HTTP 200, also though the indicated token does not exist or has already been revoked (so that non information is going to be released)",SPID_CIE_OIDC#Revocation-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#response,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,"REVOCATION_REQUEST_NO_CORRECT_TOKEN, test_revocation_endpoint_no_issued_token",,,,,TRUE,,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 invalid_grant +x,OP-Revocation response-token-already-revoked,Revocation Response to a Request containing a previously revoked access token,Revocation Response to a Request containing a previously revoked access token,Revocation request with a previously-revoked token,"Compliant if the response is an HTTP 200 OK response, not compliant otherwise",/ manual: check flow,Correct Input,Revocation response,Does the OP's revocation endpoint answer correctly when an already-revoked token is provided,"After a correct flow where an authentication is accomplished and a token is obtained from the OP's Token Endpoint. After this, a request to the Revocation endpoint is done, the token is substituted with an already-revoked token and the response analyzed",OP,Revocation request | body | token | XXX,Revocation response | head | 200,"The Revocation Endpoint responds with an HTTP 200 code, even if the indicated token does not exist or has already been revoked (so as not to release information).",SPID_CIE_OIDC#Revocation-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#response,OIDC Core,Active,L,Return wrong status code,,,,,,,"If an already-revoked token is not held, an ad-hoc session must be created with two revocation requests",FALSE,,,no,"[""s1"", ""s1-revoked""]",E,,P,P,passed, o,OP-Revocation response-wrong-client_assertion_type,Revocation response to a Request with a wrong client_assertion_type parameter,Revocation response to a Request with a wrong client_assertion_type parameter,Revocation Request with a wrong client_assertion_type parameter in the body,"Compliant if the Revocation response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Revocation response,Does the OP verify the client assertion type of the Revocation Request,"To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.",OP,Revocation request | body | (?<=client_assertion_type=)([^&]+) | urn-ietf,Revocation response | head | 400 | body | invalid_request,The OP must check that the client_assertion_type value in the Revocation Request is 'urn:ietf:params:oauth:clientassertion-type:jwt-bearer',SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,REVOCATION_REQUEST_NO_CORRECT_CLIENT_ASSERTION_TYPE,,,,,,,,no,"[""s1""]",E,,P,P,passed, x,OP-Revocation response-wrong-client_id,Revocation response to a Request with a wrong client id,Revocation response to a Request with a wrong client id,Revocation Request with a wrong client_id parameter in the body,"Compliant if the Revocation response is an HTTP 401 because of invalid_client, not compliant otherwise",Param Response,Wrong Input,Revocation response,Does the OP verify the client id of the Revocation Request,"To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.",OP,Revocation request | body | (?<=client_id=)([^&]+) | https://www.example.com/,Revocation response | head | 401 | body | invalid_client,The OP must check that the client_id in the Revocation Request is known inside the Federation.,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,REVOCATION_REQUEST_NO_CORRECT_CLIENT_ID,,,,,TRUE,,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 invalid_request -x,OP-Revocation response-token-already-revoked,Revocation Response to a Request containing a previously revoked access token,Revocation Response to a Request containing a previously revoked access token,Revocation request with a previously-revoked token,"Compliant if the response is an HTTP 200 OK response, not compliant otherwise",/ manual: check flow,Correct Input,Revocation response,Does the OP's revocation endpoint answer correctly when an already-revoked token is provided,"After a correct flow where an authentication is accomplished and a token is obtained from the OP's Token Endpoint. After this, a request to the Revocation endpoint is done, the token is substituted with an already-revoked token and the response analyzed",OP,Revocation request | body | token | XXX,Revocation response | head | 200,"The Revocation Endpoint responds with an HTTP 200 code, even if the indicated token does not exist or has already been revoked (so as not to release information).",SPID_CIE_OIDC#Revocation-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#response,OIDC Core,Active,L,Return wrong status code,,,,,,,"If an already-revoked token is not held, an ad-hoc session must be created with two revocation requests",FALSE,,,no,"[""s1"", ""s1-revoked""]",E,,P,P,passed, -,OP-Authentication request-url-wrong-client_id,Authentication request URL,,,HTTP 302 error because of 'invalid_request',,Wrong Input,Authentication request,T1_a,The authentication request is intercepted and the 'client_id' field in the URL is edited to be a wrong value. The request is then forwarded and the result is an incorrect flow,OP,,,,External: T1_a (MIG),OIDC Core,active,,,,,,T1_a,,,client_id in URL is optional (should),TRUE,x,,,,,,,,, -,OP-Authentication request-url-missing-client_id,Authentication request URL,,,HTTP 400 error because of 'unauthorized_client',,Wrong Input,Authentication request,T1_b,"The authentication request is intercepted and the 'client_id' field is removed. After forwarding the request, the expected output is an incorrect flow",OP,,,,External: T1_b (MIG),OIDC Core,active,,,,,,T1_b,,,client_id in URL is optional (should),TRUE,x,,,,,,,,, -,OP-Authentication request-url-wrong-response_type,Authentication request URL,,,HTTP 400 error because of 'unsupported_response_type',,Wrong Input,Authentication request,T1_c,The authentication request is intercepted and the 'response_type' field in the URL is edited to be a wrong value. The request is then forwarded and the result is an incorrect flow,OP,,,,External: T1_c (MIG),OIDC Core,active,,,,"Auth request, no correct response_type","Auth request, no correct response_type",T1_c,,,response_type in URL is said should,FALSE,x,,,,,,,,, -,OP-Authentication request-url-missing-response_type,Authentication request URL,,,HTTP 400 error because of 'unsupported_response_type',,Wrong Input,Authentication request,T1_d,"The authentication request is intercepted and the 'response_type' field is removed from the URL. After forwarding the request, the expected output is an incorrect flow",OP,,,,External: T1_d (MIG),OIDC Core,active,,,,,,T1_d,,,response_type in URL is said should,TRUE,x,,,,,,,,, -,OP-Authentication request-token-replay,Authentication request JWT,,,HTTP 400 error because of 'invalid_grant',,Wrong Input,Authentication request,T7_a,"The authentication request in a first session is intercepted and the token present in the request parameter is saved. After forwarding and completing the first session, a second authentication request is initialized and the token saved previously is used in this second session. This results in an incorrect second flow.",OP,,,,External: T7_a (MIG),OIDC Core,active,,,Are replayed JWT's detected (IsJwtReplayDetected),,,T7_a,,,Nothing about this is said in the specification,TRUE,x,,,,,,,,, -,OP-Authentication request-code-length,Authorization code from authorization request,,,String asserting whether the code is valid or not,,Correct Input,Authentication request,Is the authorization code grant supported (CodeFlowSupported),"The OP takes the authorization code from the request and checks the length of the Code, assuring that it is of at least 128 bits. Moreover the entropy of the code is checked. If the code is not long enough or it cannot be retrieved (e.g., is null), an error is returned.",OP,,,,External: OAuch,OIDC Core,passive,,,Is the authorization code grant supported (CodeFlowSupported),Support code response_type,,,,,"OAuch has not the source code, thus I cannot understand what it does. Regarding the Conformance profile, the test checks the code length and entropy. Nothing about code length or entropy is said in the specification",TRUE,x,,,,,,,,, -,OP-Authentication request-no-bearer,Authentication response,,,HTTP 302 because of access_denied,,Wrong Input,Authentication request,Are authentication parameters in the URI allowed (IsAuthInUriAllowed),"This test firstly checks if there is a flow needing the authentication via a client secret. Once found, it removes the 'Authorization' field in the header of the request and adds the 'client_id' and 'client_secret' values in the request parameters. If the request is accepted, then the server accepts an authentication via parameters in the URI and is not compliant with the specifications.",OP,,,,External: OAuch,OIDC Core,active,,,Are authentication parameters in the URI allowed (IsAuthInUriAllowed),,,,,,Nothing about this in the specification. I think this is implicit due to the fact that the implicit flow should not be supported and that the request must have the JWT. Maybe can be said more clearly,TRUE,x,,,,,,,,, -,OP-Authentication request-fragment,Authorization endpoint URL,,,"Compliant if the URL has not a fragment, not compliant otherwise",,Correct Input,Authentication request,Does the authorization URL have a fragment (HasFragment),"This analyzes the URL of the authorization endpoint and checks if there is a fragment (#). If there a # is present, then there is a fragment and the server is not compliant with the specifications, otherwise the specifications are well-implemented.",OP,,,,External: OAuch,OIDC Core,passive,,,Does the authorization URL have a fragment (HasFragment),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Authentication response-referrer,Referrer policy of the authorization response,,,"Compliant if all the referers are legit, not compliant otherwise",,Correct Input,Authentication response,Does the server suppress the referrer (ReferrerPolicyEnforced),"This test takes the Referrer policy present in the headers and/or in the metadata of the authorization response and checks that every referer is a proper one. If a referer is not valid or if there are not referers (and thus there is not a proper referrer policy), then the specifications are not fully implemented. ",OP,,,,External: OAuch,OIDC Core,passive,,,Does the server suppress the referrer (ReferrerPolicyEnforced),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Authentication request-same-parameter-twice,Authorization response to a request with duplicated parameter,,,"Compliant if the response has not a token, not compliant if it has",,Wrong Input,Authentication request,Does the authorization server allow multiple instances of the same parameter (SameParameterTwiceDisallowed),"This test creates a request with a duplicated parameter and sends it. If the response contains the token, than the authorization server ignored the duplicated parameter and didn't implemented the specifications properly.",OP,,,,External: OAuch,OIDC Core,active,,,Does the authorization server allow multiple instances of the same parameter (SameParameterTwiceDisallowed),,,,,,"Nothing about this in the specification. Did not understand why they wait for a token if it is an authentication request -",TRUE,x,,,,,,,,, -,OP-Authentication request-unrecognized-parameter,Authorization response to a request with additional arbitrary parameter,,,"Compliant if the response has not a token, not compliant if it has",,Correct Input,Authentication request,Does the authorization server ignore unrecognized parameters (UnrecognizedParameterAllowed),"Create a request, add an arbitrary parameter and send it. If the server ignores the additional parameter and responds with the token, then it implements the specifications properly, otherwise it does not.",OP,,,,External: OAuch,OIDC Core,active,,,Does the authorization server ignore unrecognized parameters (UnrecognizedParameterAllowed),Ignores not understood query parameter in authentication request,,,,,Nothing about this in the specification. Did not understand why they wait for a token if it is an authentication request,TRUE,x,,,,,,,,, -,OP-Authentication request-missing-sub,Authorization response to a request with a JWT without the sub claim,,,Refuse client authorization: HTTP 400 error because of 'invalid_grant',,Wrong Input,Authentication request,Is JWT subject checked (HasSubjectClaim),A request with a JWT token without the sub claim is created and sent. The server should reject the request.,OP,,,,External: OAuch,OIDC Core,active,,,Is JWT subject checked (HasSubjectClaim),,,,,,The sub parameter in the authentication request is no more required,TRUE,x,,,,,,,,, -,OP-Authentication request-support-ui_locales,Authentication response,,,"Compliant if the Authentication page is showed with the proper language, not compliant otherwise",,Correct Input,Authentication request,Support ui_locales request parameter,"This test includes the ui_locales parameter in the request to the authorization endpoint, with the value set to that provided in the configuration (or 'se' if no value probably). Use of this parameter in the request must not cause an error at the OP. Please remove any cookies you may have received from the OpenID Provider before proceeding. You need to do this so you can check that the login page is displayed using one of the requested locales.",OP,,,,External: Reference OpenID Connect Conformance Profiles v3.0,OIDC Core,active,,,,Support ui_locales request parameter,,,,,It is an optional parameter right now. Cannot find the source code,TRUE,x,,,,,,,,, -,OP-Authentication request-wrong-ui_locales,"Authentication response to a request with a wrong ""ui_locales"" field",,,HTTP 302 error code because of invalid_request,,Wrong Input,Authentication request,"Auth request, no correct UI_locales",The authentication request is created and sent with a wrong 'ui_locales' field.,OP,,,,External: Reference spid-cie-oidc-django unit test,OIDC Core,active,,,,,"Auth request, no correct UI_locales",,,,"In the spec it is optional, so we did not consider it as a requirement for an OP to be compliant",TRUE,x,,,,,,,,, -,OP-Authentication response-header-pragma,Authorization response,,,"Compliant if the response has the pragma header, not compliant otherwise",,Correct Input,Authentication response,Is pragma header present (HasPragmaHeader),This test determines whether Pragma header is present in authorization endpoint responses,OP,,,,External: OAuch,OIDC Core,passive,,,Is pragma header present (HasPragmaHeader),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Authentication response-csp,Authorization page,,,"Compliant if it has a Content Security Policy, not compliant otherwise",,Correct Input,Authentication response,Authorization page has Content Security Policy (HasContentSecurityPolicy),This test determines whether the authorization endpoint uses a content security policy to avoid framing of the authorization page.,OP,,,,External: OAuch,OIDC Core,passive,,,Authorization page has Content Security Policy (HasContentSecurityPolicy),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Authentication response-header-x-frame,Authorization page,,,"Compliant if it has a X-Frame-Options header, not compliant otherwise",,Correct Input,Authentication response,Authorization page has X-Frame-Options header (HasFrameOptions),This test determines whether the authorization endpoint uses the X-Frame-Options header to avoid framing of the authorization page.,OP,,,,External: OAuch,OIDC Core,passive,,,Authorization page has X-Frame-Options header (HasFrameOptions),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Authentication response-header-cache_control,Authorization response,,,"Compliant if it has a Cache-Control header, not compliant otherwise",,Correct Input,Authentication response,Is cache control header present (HasCacheControlHeader),This test determines whether Cache-Control header is present in authorization endpoint responses,OP,,,,External: OAuch,OIDC Core,passive,,,Is cache control header present (HasCacheControlHeader),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Authentication request-pkce-downgrade,Authorization response to a request without the code_challenge and the code_challenge_method parameters,,,"Compliant if the response does not have a token inside, not compliant otherwise",,Correct Input,Authentication request,Is PKCE downgrade detected (authorization request) (IsPkceDowngradeDetected),"Attackers can downgrade PKCE protection without the server noticing. The server should disallow authorization code exchanges where a code_verifier is presented, if there was no code_challenge present in the authorization request.",OP,,,,External: OAuch,OIDC Core,active,,,Is PKCE downgrade detected (authorization request) (IsPkceDowngradeDetected),,,,,,"This type of attack is accomplished via a MITM, where the attacker acts like the OP and tries to downgrade to the plain PKCE, thus making the RP send the code_verifier. In the specification there is not written that plain PKCE is not supported, maybe it could be made more clear also specifying that the RP must not try to use plain PKCE an refuses requests where is asked to downgrade. Did not understand why they wait for a token if it is an authentication request -",TRUE,x,,,,,,,,, -,OP-Authentication request-tls,Authorization uri,,,"Compliant if it supports a modern version of TLS, not compliant otherwise",,Correct Input,Authentication request,Does the authorization server support a modern version of TLS (IsModernTlsSupported),This test determines whether the authorization server supports modern versions of the TLS protocol (v1.2 and higher).,OP,,,,External: OAuch,OIDC Core,passive,,,Does the authorization server support a modern version of TLS (IsModernTlsSupported),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Authentication request-post-authentication,Authentication response to a request made with HTTP POST,,,"Compliant if the response does not have a token inside, not compliant otherwise",,Correct Input,Authentication request,Does the server support POST authentication requests (SupportsPostAuthorizationRequests),This test checks whether the authorization server supports sending authentication parameters via a POST request.,OP,,,,External: OAuch,OIDC Core,active,,,Does the server support POST authentication requests (SupportsPostAuthorizationRequests),,,,,,"Did not inserted because it seems that the serialization method used is query string, whereas the one that the specification requires is form serialization. Did not understand why they wait for a token if it is an authentication request",TRUE,x,,,,,,,,, -,OP-Authentication request-query-component-in-redirect,Authentication response,,,"Compliant if the response is successful, not compliant otherwise",,Correct Input,Authentication request,Preserves query parameter in redirect_uri,This test uses a redirect uri with a query component. Authorization should complete successfully.,OP,,,,External: Reference OpenID Connect Conformance Profiles v3.0,OIDC Core,active,,,,Preserves query parameter in redirect_uri,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Authentication response-iss,Authentication response to a request with a wrong iss parameter,,,HTTP 302 error code because of invalid_request,,Correct Input,Authentication response,Authentication Response: iss parameter compliance,iss parameter must be https://login.interno.gov.it/,OP,,,,External: MIG,OIDC Core,passive,,,,,,P2_e,,,The value of iss must no more be the one described the one described,TRUE,x,,,,,,,,, -,OP-Authentication response-code-timeout,Authentication response to a delayed request,,,"Compliant if the response does not have the token, not compliant otherwise",,Correct Input,Authentication response,Do authorization codes have a short timeout (AuthorizationCodeTimeout),This test checks if authorization codes time out after at most 10 minutes.,OP,,,,External: OAuch,OIDC Core,active,,,Do authorization codes have a short timeout (AuthorizationCodeTimeout),,,,,,"Nothing is said in the specification about the timeout time of the codes. Did not understand why they wait for a token if it is an authentication request -",TRUE,x,,,,,,,,, -,OP-Token request-short-code_verifier,Token response to a request with a short code verifier,,,"Compliant if the response does not have the token, not compliant otherwise",,Wrong Input,Token request,Are insecure code verifiers rejected (ShortVerifier),"try to edit code_verifier and put a value shorter than 32, note it still has to be valid",OP,,,,External: OAuch,OIDC Core,active,,,Are insecure code verifiers rejected (ShortVerifier),,,,,,Nothing is said about the length of the code verifier,TRUE,x,,,,,,,,, -,OP-Token request-asymmetric-authentication,Site settings,,,"Compliant if the server supports client authentication as private_key_jwt or certificates, not compliant otherwise",,Correct Input,Token request,Does the server support asymmetric client authentication (IsAsymmetricClientAuthenticationUsed),"This test determines whether the server supports asymmetric client authentication, such as mTLS or 'private_key_jwt'.",OP,,,,External: OAuch,OIDC Core,active,,,Does the server support asymmetric client authentication (IsAsymmetricClientAuthenticationUsed),,,,,,"Not clear how it works, in CIE the type of authentication is private_key_jwt, but in this test is not clear how this is checked",TRUE,x,,,,,,,,, -,OP-Token request-basic-authentication,Token response to a request without authentication,,,"Compliant if the token received is not valid, not compliant otherwise",,Correct Input,Token request,Is basic authentication supported (IsBasicAuthenticationSupported),This test verifies whether the token endpoint supports the basic authentication scheme (or a more secure authentication scheme) for clients that were issues a password.,OP,,,,External: OAuch,OIDC Core,active,,,Is basic authentication supported (IsBasicAuthenticationSupported),,,,,,"Did not proprerly understand what it does. For what I could, it tests if client secrets are used and this is not for our interest",TRUE,x,,,,,,,,, -,OP-Token request-require-client-authentication,Token response to a request without client id and client secret,,,"Compliant if the response does not contain a token, not compliant otherwise",,Wrong Input,Token request,Is client authentication required (IsClientAuthenticationRequired),Try to not authenticate as the client to the token endpoint,OP,,,,External: OAuch,OIDC Core,active,,,Is client authentication required (IsClientAuthenticationRequired),,,,,,"Is tried to remove the client id and secret, in CIE authentication is performed via JWT",TRUE,x,,,,,,,,, -,OP-Token request-get-requests,Token response to a request made with HTTP GET,,,"Compliant if the response does not contain a token, not compliant otherwise",,Correct Input,Token request,Does the token server support GET requests (IsGetSupported),This test checks if the token server supports GET requests.,OP,,,,External: OAuch,OIDC Core,active,,,Does the token server support GET requests (IsGetSupported),,,,,,In the specification is not specified which type of request the token endpoint accepts (even though examples show a POST request). A similar test is created for the authorization endpoint,TRUE,x,,,,,,,,, -,OP-Token request-require-https,Token response to a request made to the URI with http scheme,,,"Compliant if the response does not contain a token, not compliant otherwise",,Wrong Input,Token request,Is HTTPS required at the token endpoint (IsHttpsRequired),This test checks whether the token endpoint enforces HTTPS connections,OP,,,,External: OAuch,OIDC Core,active,,,Is HTTPS required at the token endpoint (IsHttpsRequired),,,,,,I think it is trivial but in the specification I did not find that HTTPS is required. For this reason I did not create a test,TRUE,x,,,,,,,,, -,OP-Token request-tls,Site settings,,,"Compliant if the token server supports modern versions of TLS, not compliant otherwise",,Correct Input,Token request,Does the token server support a modern version of TLS (IsModernTlsSupported),This test determines whether the token server supports modern versions of the TLS protocol (v1.2 and higher).,OP,,,,External: OAuch,OIDC Core,active,,,Does the token server support a modern version of TLS (IsModernTlsSupported),,,,,,I think it is trivial but in the specification I did not find that the most updated TLS (and thus HTTPS) is required. For this reason I did not create a test. Moreover I did not properly understand how the test works,TRUE,x,,,,,,,,, -,OP-Token request-password-disabled,Token request,,,"Compliant if the server does not support the password flow (grant_type set to password), not compliant otherwise",,Wrong Input,Token request,Is the password flow disabled (IsPasswordFlowDisabled),Check that the password flow is disabled ,OP,,,,External: OAuch,OIDC Core,active,,,Is the password flow disabled (IsPasswordFlowDisabled),,,,,,In the specification the authorization code flow is used but nothing is said about this type of flow. It is true that if an entity uses the password flow it is not compliant but it would fail all the other tests anyway. I think this is trivial. Moreover I did not properly understand how the test works,TRUE,x,,,,,,,,, -,OP-Token request-refresh-authentication,Token response to a request with a refresh token and without client id and client secret (as authentication),,,"Compliant if the response does not have a token, not compliant otherwise",,Wrong Input,Token request,Is refresh authentication required (IsRefreshAuthenticationRequired),Check to not authenticate when asking a token with a refresh token,OP,,,,External: OAuch,OIDC Core,active,,,Is refresh authentication required (IsRefreshAuthenticationRequired),,,,,,"It tries to remove client id and secret and make a request, we do not care about this test because the required authentication method is the signed JWT",TRUE,x,,,,,,,,, -,OP-Token request-refresh_token-bound,Token response to a request with a refresh token and with a wrong client id as authentication method,,,"Compliant if the response does not have a token, not compliant otherwise",,Wrong Input,Token request,Is the refresh token bound to a client (IsRefreshBoundToClient),Try to use the refresh token with another client,OP,,,,External: OAuch,OIDC Core,active,,,Is the refresh token bound to a client (IsRefreshBoundToClient),,,,,,"This test seems to try to use the refresh token with another client, and see if an access token is sent back. In the specification I did not really find something that says to not do this. Must the OP check the client when exchanging a refresh token?",TRUE,x,,,,,,,,, -,OP-Token request-use-code-twice,Token response to a request containing a code already exchanged,,,"Compliant if the response does not have a token, not compliant otherwise",,Wrong Input,Token request,Can codes be exchanged multiple times (MultipleCodeExchanges),Try to use authorization code twice,OP,,,,External: OAuch,OIDC Core,active,,,Can codes be exchanged multiple times (MultipleCodeExchanges),Reject second use of authorization code,,,,,Nothing about invalidating the authorization code is said in the specification,TRUE,x,,,,,,,,, -,OP-Token request-check-redirect_uri,Token response to a request with a wrong redirect uri,,,"Compliant if the response does not have a token, not compliant otherwise",,Wrong Input,Token request,Is the redirect URI checked when exchanging a code (RedirectUriChecked),"Try to use a not registered redirect uri, try to set it differently from the authorization request",OP,,,,External: OAuch,OIDC Core,active,,,Is the redirect URI checked when exchanging a code (RedirectUriChecked),,,,,,"In CIE/SPID the redirect uri must be checked when asking for a code, not when exchanging it",TRUE,x,,,,,,,,, -,OP-Token request-parameter-twice,Token response to a request with a parameter duplicated,,,"Compliant if the response does not have a token, not compliant otherwise",,Wrong Input,Token request,Does the token endpoint allow multiple instances of the same parameter (SameParameterTwiceDisallowed),Try to put a parameter twice in the token request,OP,,,,External: OAuch,OIDC Core,active,,,Does the token endpoint allow multiple instances of the same parameter (SameParameterTwiceDisallowed),,,,,,Nothing about this is said in the specification,TRUE,x,,,,,,,,, -,OP-Token request-tokens-invalidated-after-multiple-exchange,Introspection response to a request containing an access token whose code was exchanged twise,,,"Compliant if the response says that the token is not valid, not compliant otherwise",,Wrong Input,Token request,Are tokens invalidated after exchanging the same code multiple times (TokenValidAfterMultiExchange),"Get a token, assure it works, try to exchange same code again, see if the token still works",OP,,,,External: OAuch,OIDC Core,active,,,Are tokens invalidated after exchanging the same code multiple times (TokenValidAfterMultiExchange),Second use of Authorization code revokes previously issued Access Token,,,,,Nothing about this is said in the specification,TRUE,x,,,,,,,,, -,OP-Token request-ignore-unrecognized-parameter,Token response to a request with unkown parameters,,,"Compliant if the response does not have a token, not compliant otherwise",,Wrong Input,Token request,Does the token endpoint ignore unrecognized parameters (UnrecognizedParameterAllowed),Try to add invalid parameters,OP,,,,External: OAuch,OIDC Core,active,,,Does the token endpoint ignore unrecognized parameters (UnrecognizedParameterAllowed),,,,,,Nothing about this is said in the specification,TRUE,x,,,,,,,,, -,OP-Token request-pkce-downgrade,Authorization response to a request without the code_challenge and the code_challenge_method parameters,,,"Compliant if the response does not have a token inside, not compliant otherwise",,Wrong Input,Token request,Is PKCE downgrade detected (token request) (IsPkcePlainDowngradeDetected),"Attackers can downgrade PKCE protection without the server noticing. The authorization request used S256 PKCE, but an attacker can downgrade this to plain PKCE by modifying the token request.",OP,,,,External: OAuch,OIDC Core,active,,,Is PKCE downgrade detected (token request) (IsPkcePlainDowngradeDetected),,,,,,"This type of attack is accomplished via a MITM, where the attacker acts like the OP and tries to downgrade to the plain PKCE, thus making the RP send the code_verifier. In the specification there is not written that plain PKCE is not supported, maybe it could be made more clear also specifying that the RP must not try to use plain PKCE. Regarding the test, the code is not available",TRUE,x,,,,,,,,, -,OP-Token request-max_age,Two ID Tokens,,,"Compliant if the second ID token has an auth_time parameter and the user is asked to log in again, not compliant otherwise",,Wrong Input,Token request,Support max_age request parameter,"This test calls the authorization endpoint test twice. The second time it waits 1 second and includes max_age=1, so that the authorization server is required to ask the user to login a second time and must return an auth_time claim in the second id_token. A screenshot of the second authorization should be uploaded.",OP,,,,External: OpenID Connect Conformance Profile,OIDC Core,active,,,,"Support max_age request parameter, ID token has auth_time claim when max_age in request",,,,,Parameter not used in CIE,TRUE,x,,,,,,,,, -,OP-Token request-max_age-not-reached,Two ID Tokens,,,"Compliant if the second ID token has an auth_time parameter and the user is not asked to log in again, not compliant otherwise",,Wrong Input,Token request,Support max_age request parameter when max age not reached,"This test calls the authorization endpoint test twice. The first time it includes max_age=15000 (so that the OP is required to return auth_time in the id_token). The second time it includes max_age=10000, and the authorization server must not request that the user logs in. The test verifies that auth_time and sub are consistent between the id_tokens from the first and second authorizations.",OP,,,,External: OpenID Connect Conformance Profile,OIDC Core,active,,,,Support max_age request parameter when max age not reached,,,,,Parameter not used in CIE,TRUE,x,,,,,,,,, -,OP-Token request-reject-code-second-use,Token response to a request with an already used code,,,"Compliant if the server returns an error and invalidate the previously-issued access token, not compliant otherwise",/ todo 0809,Wrong Input,Token request,Reject second use of authorization code after 30 seconds,"This test tries using an authorization code for a second time, 30 seconds after the first use. The server must return an invalid_grant error as the authorization code has already been used. The originally issued access token should be revoked (as per RFC6749-4.1.2) - a warning is issued if the access token still works.",OP,,,,External: OpenID Connect Conformance Profile,OIDC Core,active,,,,Reject second use of authorization code after 30 seconds,,,,,Nothing about this is said in the specification,TRUE,x,,,,,,,,, -,OP-Token response-correct-content_type,Token response,,,"Compliant if the content-type header is application/json, not compliant otherwise",,Correct Input,Token response,response MUST have Content-Type 'application/json',This test takes the token response header and checks the Content-type,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.2.0,In the example of the token response the content type is the same but it is not said to be mandatory or necessary,TRUE,x,,,,,,,,, -,OP-Token response-header-correct-cache_control,Token response,,,"Compliant if the cache-control header is no-store, not compliant otherwise",,Correct Input,Token response,response MUST have HTTP response header Cache-Control with value 'no-store',This test takes the token response header and checks the Cache-control,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.2.2,Nothing about this is said in the specification,TRUE,x,,,,,,,,, -,OP-Token response-header-correct-pragma,Token response,,,"Compliant if the pragma header is no-cache, not compliant otherwise",,Correct Input,Token response,response MUST have HTTP response header Pragma with value 'no-cache',This test takes the token response header and checks the pragma,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.2.3,Nothing about this is said in the specification,TRUE,x,,,,,,,,, -,OP-Token response-correct-expires_in,Token response,,,"Compliant if the expires_in parameter is less or equal to 900, not compliant otherwise",,Correct Input,Token response,the value of expires_in MUST be <= 900,This test takes the token response and checks the presence of the expires_in parameter in the data,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.2.13,parameter not correct (exp). expiration time in specification is not clear,TRUE,x,,,,,,,,, -,OP-Token response-id-token-payload-correct-acr,ID token in the token response,,,"Compliant if the acr parameter is present and contains only values among ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3'], not compliant otherwise",,Correct Input,Token response,"ID Token Payload: the value of acr MUST be one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']","This test takes the ID token in the token response, decrypt it and checks the presence of the acr values",OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.3.10,The values are no more defined like that,TRUE,x,,,,,,,,, -,OP-Token response-id_token-payload-exp-authorization_code,ID token in the token response,,,"Compliant if the ID token payload contains the grant_type claim set to 'authorization_code', the iat claim and the exp claim is set to iat + 5 min. Not compliant otherwise",,Correct Input,Token response,"ID Token Payload: if grant_type was 'authorization_code', the value of exp MUST be = iat + 5min","This test takes the ID token in the token response, decrypt it and checks the presence of the grant_type, iat and exp claims",OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.3.21,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Token response-id_token-payload-exp-refresh_token,ID token in the token response,,,"Compliant if the ID token payload contains the grant_type claim set to 'refresh_token', the iat claim and the exp claim is set to iat + 30 days. Not compliant otherwise",,Correct Input,Token response,"ID Token Payload: if grant_type was 'refresh_token', the value of exp MUST be = iat + 30 days - (iat of original authentication)","This test takes the ID token in the token response, decrypt it and checks the presence of the grant_type, iat and exp claims",OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.3.22,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Token response-access_token-payload-exp-time,Access token in the token response,,,Compliant if the Access token payload contains the iat claim and the exp claim is set to iat + 15 min. Not compliant otherwise,,Correct Input,Token response,Access Token Payload: the value of exp MUST be = iat + 15min,"This test takes the Access token in the token response, decrypt it and checks the presence of the iat and exp claims",OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.4.13,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Token response-key-references,ID Token in the token response,,,"Not compliant if the ID token contains one parameter among { 'x5u', 'x5c', 'jku', 'jwk' }, compliant otherwise",,Correct Input,Token response,Are references to keys communicated using discovery and registration parameters (KeyReferences),"This test determines whether the identity token uses keys that are communicated in advance using Discovery and Registration parameters, instead of the JWS x5u, x5c, jku and jwk header claims.",OP,,,,External: OAuch,OIDC Core,passive,,,Are references to keys communicated using discovery and registration parameters (KeyReferences),,,,,,"This tests check discovery for the keys, in the CIE case the key exchange is a matter of federation. This is not a useful test",TRUE,x,,,,,,,,, -x,RP-Token request-Assertion-aud,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the aud claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token request,Does the signed JWT assertion contain the aud claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.",RP,,Token request | body | (?<=client_assertion=)([^&]+) | payload | aud,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the aud claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -,OP-Metadata-claims-spid,metadata,,,"Compliant if the claim claim in the metadata contains all the spid attributes, not compliant otherwise",,Correct Input,Metadata,claims supported should be all the spid attributes,"If present, the value of claims_supported MUST be all the SPID attributes (see table of SPID attributes for OIDC)",OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.4.8,Claim no more used,TRUE,x,,,,,,,,, -,OP-Metadata-valid-url,Metadata URL,,,"Compliant if the metadata are on a valid URL, not compliant otherwise",,Correct Input,Metadata,1.0.0,Metadata file MUST be on a valid URL of the OP,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.0.0,It is trivial but there is not written to use HTTPS,TRUE,x,,,,,,,,, -,OP-Metadata-correct-url,Metadata URL,,,"Compliant if the metadata are on a URL composed like /.well-known/openid-configuration, not compliant otherwise",,Correct Input,Metadata,1.1.0,Document URL MUST be /.well-known/openid-configuration,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.1.0,Metadata in the CIE federation are published in the .well-known/openid-federation,TRUE,x,,,,,,,,, -,OP-Metadata-correct-content_type,Response to a metadata request,,,"Compliant if the header 'Content-Type' is set to application/json, not compliant otherwise",,Correct Input,Metadata,1.1.3,The document MUST be returned as Content-Type application/json,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.1.3,"It is not specified but in the examples the content type is ""application/entity-statement+jwt""",TRUE,x,,,,,,,,, -,OP-Metadata-not-contain-request_object_encryption_alg_values_supported,OP's Metadata,,,"Compliant if the request_object_encryption_alg_values_supported parameter is not present, not compliant otherwise",,Correct Input,Metadata,1.3.23,The metadata must not contain the claim request_object_encryption_alg_values_supported,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.3.23,claim no more used. Test is changed recently. Nothing is said about the prohibition of this parameter,TRUE,x,,,,,,,,, -,OP-Metadata-not-contain-request_object_encryption_enc_values_supported,OP's Metadata,,,"Compliant if the request_object_encryption_enc_values_supported parameter is not present, not compliant otherwise",,Correct Input,Metadata,1.3.24,The metadata MUST NOT contain the claim request_object_encryption_enc_values_supported,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.3.24,claim no more used. Test is changed recently. Nothing is said about the prohibition of this parameter,TRUE,x,,,,,,,,, -,OP-Metadata-contain-request_parameter_supported,OP's Metadata,,,"Compliant if the request_parameter_supported parameter is present, not compliant otherwise",,Correct Input,Metadata,1.3.25,The metadata MUST contain the claim request_parameter_supported,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.3.25,claim no more used,TRUE,x,,,,,,,,, -,OP-Metadata-request_parameter_supported-true,OP's Metadata,,,"Compliant if the request_parameter_supported parameter is present and set to true, not compliant otherwise",,Correct Input,Metadata,1.3.26,The value of request_parameter_supported MUST be true,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.3.26,claim no more used,TRUE,x,,,,,,,,, -,OP-Metadata-claims_parameter_supported-true,Metadata,,,"Compliant if the claims_parameter_supported claim is present and set to true, not compliant if it present but not set to true",,Correct Input,Metadata,1.4.10,"If present, the value of claims_parameter_supported MUST be true",OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.4.10,claim no more used,TRUE,x,,,,,,,,, -,OP-Metadata-token_endpoint_auth_methods_supported-private_key_jwt,Metadata,,,"Compliant if the token_endpoint_auth_methods_supported claim is present and contains the value private_key_jwt, not compliant if it present but does not contain the value private_key_jwt",,Correct Input,Metadata,1.4.5,"If present, the token_endpoint_auth_methods_supported MUST be ['private_key_jwt']",OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.4.5,claim no more used,TRUE,x,,,,,,,,, -,OP-Metadata-correct-request_object_encryption_alg_values_supported,Metadata,,,"Compliant if the request_object_encryption_alg_values_supported claim is present and set to ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it present but is set differently",,Correct Input,Metadata,1.5.7,"The request_object_encryption_alg_values_supported MUST be ['RSA-OAEP', 'RSA-OAEP-256']",OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.5.7,Claim no more used,TRUE,x,,,,,,,,, -,OP-Metadata-correct-request_object_encryption_enc_values_supported,Metadata,,,"Compliant if the request_object_encryption_enc_values_supported claim is present and set to ['A128CBC-HS256', 'A256CBC-HS512'], not compliant if it present but is set differently",,Correct Input,Metadata,1.5.8,"The request_object_encryption_enc_values_supported MUST be ['A128CBC-HS256', 'A256CBC-HS512']",OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.5.8,Claim no more used,TRUE,x,,,,,,,,, -,OP-Metadata-correct-token_endpoint_auth_signing_alg_values_supported,Metadata,,,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is present and set to ['RS256', 'RS512'], not compliant if it present but is set differently",,Correct Input,Metadata,1.5.9,"If present, the token_endpoint_auth_signing_alg_values_supported MUST be ['RS256', 'RS512']",OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.5.9,Claim no more used,TRUE,x,,,,,,,,, -x,RP-Token request-Assertion-aud-type,Token request's client assertion,Token request,Trigger Token request,"Compliant if the aud claim in the client assertion JWT is set to an URL, not Compliant otherwise",JWT parameter type,Correct Input,Token request,Does the signed JWT assertion contain a correct aud claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL",RP,,"Token request | body | (?<=client_assertion=)([^&]+) | payload | | {""type"": ""object"", ""properties"": {""aud"": {""type"": ""array"", ""format"": ""uri-reference""}}, ""required"": [""aud""]}","The client assertion parameter contains a single (signed) JWT which must contain, among others, the aud claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-Assertion-exp,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the exp claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token request,Does the signed JWT assertion contain the exp claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present",RP,,Token request | body | (?<=client_assertion=)([^&]+) | payload | exp,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the exp claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-Assertion-exp-type,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the exp claim and its value is a timestamp, not Compliant otherwise",JWT parameter type,Correct Input,Token request,Does the signed JWT assertion contain a correct exp claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap",RP,,"Token request | body | (?<=client_assertion=)([^&]+) | payload | | {""type"": ""object"", ""properties"": {""exp"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""exp""]}","The client assertion parameter contains a single (signed) JWT which must contain, among others, the exp claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-Assertion-iat,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the iat claim and its value is a timestamp before the current one, not Compliant otherwise",JWT parameter presence,Correct Input,Token request,Does the signed JWT assertion contain the iat claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.",RP,,Token request | body | (?<=client_assertion=)([^&]+) | payload | iat,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the iat claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-Assertion-iat-type,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the iat claim and its value is a timestamp, not Compliant otherwise",JWT parameter type,Correct Input,Token request,Does the signed JWT assertion contain a correct iat claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap",RP,,"Token request | body | (?<=client_assertion=)([^&]+) | payload | | {""type"": ""object"", ""properties"": {""iat"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""iat""]}","The client assertion parameter contains a single (signed) JWT which must contain, among others, the iat claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -,OP-Authentication request-require-https-authentication_request,HTTP response from the authorization endpoint,,,"Compliant if the server returns an HTTP error, not compliant otherwise",,Wrong Input,Authentication request,OP authentication requests use HTTPS,"This test is performed trying to make a request to the Authorization endpoint with http and not with https. If the endpoint refuses the connection, then the use of HTTPS is required and thus, the server respects the specification. If otherwise the request is accepted, it means that the server automatically upgrades to HTTPS and then it is not compliant with the specifications.",OP,,,,External: OAuch,OIDC Core,passive,,,Is HTTPS required at the authorization endpoint (IsHttpsRequired),All OP endpoints use https,,,,,It is trivial but in the specification is not specified for the authorization endpoint to have an HTTPS URL,TRUE,x,,,,,,,,, -,OP-Authentication request-require-https-revocation_request,HTTP response from the revocation endpoint,,,"Compliant if the server returns an HTTP error, not compliant otherwise",,Wrong Input,Authentication request,OP revocation requests use HTTPS,"This test is performed trying to make a request to the Revocation endpoint with http and not https. If the endpoint refuses the connection, then the use of HTTPS is required and thus, the server respects the specification. If otherwise the request is accepted, it means that the server automatically upgrades to HTTPS and then it is not compliant with the specifications.",OP,,,,External: OAuch,OIDC Core,passive,,,Is the revocation endpoint secure (IsRevocationEndpointSecure),Uses https for all endpoints unless only using code flow,,,,,It is trivial but in the specification is not specified for the revocation endpoint to have an HTTPS URL,TRUE,x,,,,,,,,, -,OP-Revocation request-require-client-authentication,Revocation response to revocation request without any authentication,,,"Compliant if the server rejects the request, not compliant otherwise",,Wrong Input,Revocation request,Does revocation require client authentication (IsClientAuthRequired),This test checks if the revocation endpoint requires client authentication.,OP,,,,External: OAuch,OIDC Core,active,,,Does revocation require client authentication (IsClientAuthRequired),,,,,,Cannot understand what they mean for authentication method,TRUE,x,,,,,,,,, -,OP-Revocation request-tls,Revocation Endpoint URI,,,"Compliant if newer TLS protocols are supported, not compliant otherwise",,Correct Input,Revocation request,Does the revocation endpoint support a modern version of TLS (IsModernTlsSupported),This test determines whether the revocation endpoint supports modern versions of the TLS protocol (v1.2 and higher).,OP,,,,External: OAuch,OIDC Core,passive,,,Does the revocation endpoint support a modern version of TLS (IsModernTlsSupported),,,,,,Not required in the specification. Did not understand how the test works,TRUE,x,,,,,,,,, -,OP-Userinfo request-form-encoded-body),Userinfo response to a POST request with the token in the body,,,"Compliant if the response is an HTTP 200 OK and thus the server accepts the token in the body, not compliant otherwise",,Correct Input,Userinfo request,Userinfo Endpoint access with form-encoded body method,"This tests makes an authenticated POST request to the UserInfo endpoint with the access token in the body and validates the response. Support for passing an access token in the request body is not required by the standards - if is acceptable for servers not to implement this form, and the test will complete with a 'warning' if the server returns a http error response.",OP,,,,External: OpenID Connect Conformance Profiles v3.0,OIDC Core,passive,,,,Userinfo Endpoint access with form-encoded body method,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Userinfo request-correct-request,Userinfo response,,,None,,Correct Input,Userinfo request,request correct,This test simply does a correct request to the userinfo endpoint without analyzing the response,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.0.0,This test simply does a correct request without analyzing the response. It is trivial and covered from other tests,TRUE,x,,,,,,,,, -,OP-Userinfo response-correct-signature-alg,Userinfo response,,,"Compliant if the userinfo response is signed with RS256, not compliant otherwise",,Correct Input,Userinfo response,Can provide signed userinfo response with RS256,This tests register a client with userinfo_signed_response_alg=RS256 and validates the signed response from the userinfo endpoint,OP,,,,External: OpenID Connect Conformance Profiles v3.0,OIDC Core,passive,,,,Can provide signed userinfo response with RS256,,,,4.4.0,alg parameter is no more used,TRUE,x,,,,,,,,, -,OP-Userinfo response-content-type,Userinfo response header,,,"Compliant if the Content-Type header is 'application/jwt', not compliant otherwise",,Correct Input,Userinfo response,4.2.0,response MUST have Content-Type 'application/jwt',OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.2.0,"Not specified in the specification (for CIE, not for SPID) but in the example the content type is ""application/jose""",TRUE,x,,,,,,,,, -,OP-Userinfo response-JWT-payload-valid-iat,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the iat claim in the payload and it is a valid unix time, not compliant otherwise",,Correct Input,Userinfo response,4.4.10,Userinfo Signed Token Payload: the value of iat MUST be a valid unix time,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.10,Parameter present in the example but not in the text,TRUE,x,,,,,,,,, -,OP-Userinfo response-JWT-payload-correct-iat,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the iat claim in the payload, it is a valid unix time and is less than the current time + 3 min, not compliant otherwise",,Correct Input,Userinfo response,4.4.11,Userinfo Signed Token Payload: the value of iat MUST be < current date + 3min,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.11,Parameter present in the example but not in the text,TRUE,x,,,,,,,,, -,OP-Userinfo response-JWT-payload-exp,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the exp claim in the payload, not compliant otherwise",,Correct Input,Userinfo response,4.4.12,Userinfo Signed Token Payload: claim exp MUST be present,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.12,Parameter present in the example but not in the text,TRUE,x,,,,,,,,, -,OP-Userinfo response-JWT-payload-valid-exp,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the exp claim in the payload and it is a valid unix time, not compliant otherwise",,Correct Input,Userinfo response,4.4.13,Userinfo Signed Token Payload: the value of exp MUST be a valid unix time,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.13,Parameter present in the example but not in the text,TRUE,x,,,,,,,,, -,OP-Userinfo response-JWT-header-kid,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the kid claim in the header, not compliant otherwise",,Correct Input,Userinfo response,4.4.2,Userinfo Signed Token Header: claim kid MUST be present,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.2,Claim present in the example but not in the text of the specification. We ignored it,TRUE,x,,,,,,,,, -,OP-Userinfo response-JWT-payload-correct-iss,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the iss claim in the payload and it is equal to the URL of the OP, not compliant otherwise",,Correct Input,Userinfo response,4.4.6,Userinfo Signed Token Payload: the value of iss MUST be equal to the URL of the OP,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.6,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-Userinfo response-JWT-payload-iat,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the iat claim in the payload, not compliant otherwise",,Correct Input,Userinfo response,4.4.9,Userinfo Signed Token Payload: claim iat MUST be present,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.9,claim no more required,TRUE,x,,,,,,,,, -,OP-OP requests-support-old-tls,OAuth endpoints URI,,,"Compliant if none of them has in the supported protocols older versions of TLS, not compliant otherwise",,Wrong Input,OP requests,Are deprecated TLS versions supported on the OAuth endpoints (IsDeprecatedTlsSupported),This test determines whether the OAuth endpoints supports older versions of the TLS protocol (v1.0 and 1.1) or any version of the SSL protocol.,OP,,,,External: OAuch,OIDC Core,active,,,Are deprecated TLS versions supported on the OAuth endpoints (IsDeprecatedTlsSupported),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, -,OP-OP requests-trusted-certificate,OAuth authorization URI,,,"Compliant if the URI has a valid certificate, not compliant otherwise",,Correct Input,OP requests,Trusted authorization certificate (HasValidCertificate),This test determines whether the certificate that is being used by the authorization server is widely trusted.,OP,,,,External: OAuch,OIDC Core,passive,,,Trusted authorization certificate (HasValidCertificate),,,,,,"Nothing about certificates in the specification, I think it is a test that does not concern properly the CIE ecosystem",TRUE,x,,,,,,,,, -,OP-OP responses-attach-fragment,Authentication response,,,"Compliant if the URI has a fragment attached and nothing after it, not compliant otherwise",,Correct Input,OP responses,Does the server attach a fragment (FragmentFix),This test checks whether the server attaches an arbitrary fragment identifier to prevent browsers from reattaching fragments to redirection URLs.,OP,,,,External: OAuch,OIDC Core,passive,,,Does the server attach a fragment (FragmentFix),,,,,,Nothing about fragments in the specification,TRUE,x,,,,,,,,, -,OP-OP responses-header-x-frame,Authentication response,,,"Compliant if the response has the X-Frame-Options header, not compliant otherwise",,Correct Input,OP responses,P3_a,All responses from the OP should contain X-Frame-Options header,OP,,,,External: MIG,OIDC Core,passive,,,,,,P3_a,,,Nothing about x-frame-options in the specification,TRUE,x,,,,,,,,, -,OP-OP responses-correct-redirect,Authentication response,,,"Compliant if the is not a 307 redirect, not compliant otherwise",,Correct Input,OP responses,P3_b,All responses from the OP should not have HTTP 307 code,OP,,,,External: MIG,OIDC Core,passive,,,,,,P3_b,,,Nothing about 307 redirect in the specification. This should be regulated by the last BCP of OAuth. It could be made more clear by specifying to avoid this kind of redirect,TRUE,x,,,,,,,,, -x,RP-Token request-Assertion-jti,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the jti claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token request,Does the signed JWT assertion contain the jti claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.",RP,,Token request | body | (?<=client_assertion=)([^&]+) | payload | jti,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the jti claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-Assertion-sub,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the sub claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token request,Does the signed JWT assertion contain the sub claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.",RP,,Token request | body | (?<=client_assertion=)([^&]+) | payload | sub,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the sub claim. This claim must be set to the client ID of the RP creating the request.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-Assertion-sub-value,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the sub claim and it is set to the same value of the iss claim, not Compliant otherwise",JWT Check-Save to JWT_same message,Correct Input,Token request,Does the JWT payload contain a correct sub claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value",RP,Token request | body | (?<=client_assertion=)([^&]+) | payload | iss,payload | sub | saved_iss,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the sub claim. This claim must be set to the same value of iss",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-client_assertion,Token request,Token request,Trigger Token request,"Compliant if the Token request contains the client_assertion parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token request,Does the token request contain the client_assertion,The token request sent by the RP must contain client_assertion parameter in the URL,RP,,Token request | body | client_assertion,An RP doing a Token Request must insert the client_assertion parameter in the request and it is a signed JWT,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-client_assertion_type,Token request,Token request,Trigger Token request,"Compliant if the Token Request contains the client_assertion_type parameter,not Compliant otherwise",HTTP parameter presence,Correct Input,Token request,Does the token request contain the client_assertion_type,The token request sent by the RP must contain client_assertion_type parameter in the URL,RP,,Token request | body | client_assertion_type,An RP doing a Token Request must insert the client_assertion_type parameter in the request and it must be set to 'urn:ietf:params:oauth:client-assertion-type:jwtbearer',SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-client_assertion_type-value,Token request,Token request,Trigger Token request,"Compliant if the client_assertion_type parameter in the request is urn:ietf:params:oauth:clientassertion-type:jwt-bearer, not compliant otherwise",HTTP parameter value,Correct Input,Token request,Does the client_assertion_type parameter in the token request contain the correct type,The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer,RP,,Token request | body | client_assertion_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer,An RP doing a Token Request must insert the client_assertion_type parameter in the request and it must be set to 'urn:ietf:params:oauth:client-assertion-type:jwtbearer',SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-client_assertion-signature,Token request's client assertion,Token request,Trigger Token request,"Compliant if the signature of the client_assertion parameter in the token request is valid, not Compliant otherwise",JWT signature check,Correct Input,Token request,Does the client_assertion in the token request have a correct signature,The client_assertion parameter in the token request sent by the RP must be a JWT with a signature,RP,,Token request | body | (?<=client_assertion=)([^&]+) | X_key_core_RP,An RP doing a Token Request must insert the client_assertion parameter in the request and it is a signed JWT,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Token request-client_assertion-type,Token request,Token request,Trigger Token request,"Compliant if the client_assertion parameter in the token request is a valid JWT, not Compliant otherwise",HTTP parameter type,Correct Input,Token request,Does the client_assertion in the token request contain a JWT,The client_assertion parameter in the token request sent by the RP must be a JWT,RP,,Token request | body | client_assertion=([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*)(?:&|$),An RP doing a Token Request must insert the client_assertion parameter in the request and it is a signed JWT,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-client_id,Token request,Token request,Trigger Token request,"Compliant if the token request contains the client_id parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token request,Does the token request contain the client_id,The token request sent by the RP must contain client_id parameter in the URL,RP,,Token request | body | client_id,An RP doing a Token Request must insert the client_id parameter in the request and it has to be an HTTPS URL,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-code,Token request,Token request,Trigger Token request,"Compliant if the Token Request contains the code parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token request,Does the token request contain the code parameter,The token request sent by the RP must contain code parameter in the URL,RP,,Token request | body | code,"An RP doing a Token Request must set the grant_type parameter in the request to 'authorization_code', than it must contain the code and the code_verifier",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-code_verifier,Token request,Token request,Trigger Token request,"Compliant if the Token Request contains the code_verifier parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token request,Does the token request contain the code_verifier parameter,The token request sent by the RP must contain code_verifier parameter in the URL,RP,,Token request | body | code_verifier,"An RP doing a Token Request must set the grant_type parameter in the request to 'authorization_code', than it must contain the code and the code_verifier",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-grant_type,Token request,Token request,Trigger Token request,"Compliant if the Token Request contains the grant_type parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token request,Does the token request contain the grant_type parameter,The token request sent by the RP must contain grant_type parameter in the URL,RP,,Token request | body | grant_type,An RP doing a Token Request must insert the grant_type parameter in the request,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-grant_type-value,Token request,Token request,Trigger Token request,"Compliant if the Token Request set the grant_type parameter to authorization_code or refresh_token, not Compliant otherwise",HTTP list value,Correct Input,Token request,Does the token request contain a correct grant_type parameter,The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked,RP,,"Token request | body | (?<=grant_type=)([^&]+) | [""authorization_code"", ""refresh_token""]",An RP doing a Token Request must set the grant_type parameter in the request to 'authorization_code' or 'refresh_token',SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-http_post,Token request,Token request,Trigger Token request,"Compliant if the Token request is sent in HTTP POST, not Compliant otherwise",HTTP parameter type,Correct Input,Token request,Does the token request use HTTP POST,The token request sent by the RP must be sent in HTTP POST,RP,,Token request | head | POST,An RP doing a Token Request must be done via HTTP POST,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-url-client_id-type,Token request,Token request,Trigger Token request,Compliant if the token request contains a client_id parameter and it is an HTTPS URL. Not Compliant otherwise,JSON parameter type,Correct Input,Token request,Does the client_id in the token request contain an HTTPS URL,The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL,RP,,"Token request | body | | {""type"":""object"", ""properties"":{""client_id"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""client_id""]})",An RP doing a Token Request must insert the client_id parameter in the request and it has to be an HTTPS URL,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,URL รจ HTTP non HTTPS -x,RP-Token request-url-client_id-value,Token request,Token request,Trigger Token request,Compliant if the token request contains a client_id parameter identifying the RP. Not Compliant otherwise,HTTP parameter value,Correct Input,Token request,Does the client_id in the token request identifies the RP,The client_id parameter in the URL of the token request is taken. This parameter must identify the RP,RP,,Token request | body | client_id | X_https_RP,An RP doing a Token Request must insert the client_id parameter in the request and it has to be an HTTPS URL,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Token request-Assertion-iss,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the iss claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token request,Does the JWT payload contain 'iss' claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.",RP,,Token request | body | (?<=client_assertion=)([^&]+) | payload | iss,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the iss claim. This claim must be set to the client ID of the RP creating the request.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token request-Assertion-iss-value,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the iss claim and it is set to the client ID of the RP making the request, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Token request,Does the JWT payload contain a correct 'iss' claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP",RP,Token request | body | (?<=client_assertion=)([^&]+) | payload | iss,Entity Configuration response RP | body | [^\r\n]* | payload | metadata.openid_relying_party.client_id | client_id,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the iss claim. This claim must be set to the client ID of the RP creating the request.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -o,OP-Token response-cache-control-value,Successful Token response,Token response,Trigger Token response,"Compliant if the token response has Cache-Control set to 'no-store', not Compliant otherwise",HTTP parameter presence_1,Correct Input,Token response,Does the token response have Cache-Control set to 'no-store',This test verifies the presence of Cache-Control set to 'no-store' in the token response.,OP,,Token response | head | Cache-Control | no-store,The error Token response must have Cache-Control set to 'no-store',SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,M,Presence of wrong parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro Cache-Control -x,OP-Token response-id_token-encryption,ID Token,Token response,Trigger Token response,"Compliant if the ID Token obtained in the Token Response is a nested signed and encrypted JWT, not compliant otherwise",/ manual: check signature,Correct Input,Token response,Does the OP encrypt the ID Token when the 'id_token_encrypted_response_alg' parameter is exposed in the RP's metadata,"To test this OP functionality, a flow is started using an RP that exposes the 'id_token_encrypted_response_alg' parameter. Once received the ID Token, it has to be not only signed but also encrypted",OP,,,If the RP exposes in its metadata the parameter id_token_encrypted_response_alg the OP MUST encrypt the ID Token. In this case the ID Token MUST be a nested signed and encrypted JWT,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro id_token_encrypted_response_alg -o,OP-Token response-refresh_token-header-alg,Refresh Token Header,Token response,Trigger Token response,"Compliant if the alg parameter in the Refresh Token Header is present, not compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain the 'alg' parameter in the Header,"In this test, the Refresh Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked",OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | header | alg",The JWT Refresh Token Header requires the alg parameter,SPID_CIE_OIDC#Token-Endpoint-Refresh-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, -o,OP-Token response-refresh_token-header-alg-value-correct,Refresh Token Header,Token response,Trigger Token response,"Compliant if the alg parameter in the Refresh Token Header contains a value among RS256 and RS512, not compliant otherwise ",/ manual: check content,Correct Input,Token response,Does the issued JWT Refresh Token contain a correct 'alg' parameter in the Header,"In this test, the Refresh Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']",OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | header | alg | [""RS256"", ""RS512""]",The JWT Refresh Token Header requires the alg parameter,SPID_CIE_OIDC#Token-Endpoint-Refresh-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,H,Mismatch of content,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, -o,OP-Token response-refresh_token-header-alg-value-wrong,Refresh Token Header,Token response,Trigger Token response,"Compliant if the alg parameter in the Refresh Token Header contains a value among RS256 and RS512, not Compliant if it contains values among ['none', 'HS256', 'HS384', 'HS512'] or is empty",/ manual: wrong parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain a wrong 'alg' parameter in the Header,"In this test, the Refresh Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.",OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | header | alg | [""none"", ""HS256"", ""HS384"", ""HS512""]",The JWT Refresh Token Header requires the alg parameter,SPID_CIE_OIDC#Token-Endpoint-Refresh-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,H,Presence of a wrong parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-refresh_token-payload-aud-presence,Refresh Token Payload,Token response,Trigger Token response,"Compliant if the JWT Refresh Token Payload has the aud parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain the 'aud' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.,OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | payload | aud",The Refresh Token MUST contain the aud parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-access_token-payload-aud-value,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload has the aud parameter set to the UserInfo endpoint, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Access Token contain a correct 'aud' parameter,The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload should contain the UserInfo endpoint.,OP,,"Token response | body | (?<=\""access_token\"": \"")[^\""]+ | payload | aud[?(@ =~ /.*\/userinfo.*/)]",The JWT Access Token Payload requires the aud parameter and it must contain the UserInfo endpoint.,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Active,M,Missing parameter,,,,,,"3.4.6, 3.4.7",,TRUE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,"Non รจ presente il path completo, solo /oidc/op/userinfo" -x,OP-Token response-refresh_token-payload-exp-presence,Refresh Token Payload,Token response,Trigger Token response,"Compliant if the JWT Refresh Token Payload contains the exp parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain correct 'exp' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked,OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | payload | exp",The Refresh Token MUST contain the exp parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-refresh_token-payload-exp-type,Refresh Token,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the JWT Refresh Token Payload contains the exp parameter which is a timestamp, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain correct type of 'exp' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the value of the 'exp' parameter in the Payload is a timestamp,OP,,"Token response | head | (?<=\""refresh_token\"": \"")[^\""]+ | payload | exp | timestamp",The Refresh Token MUST contain the exp parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-refresh_token-payload-iat-presence,Refresh Token Payload,Token response,Trigger Token response,"Compliant if the JWT Refresh Token Payload contains the iat claim, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain 'iat' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked,OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | payload | iat",The Refresh Token MUST contain the iat parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-refresh_token-payload-jti-presence,Refresh Token Payload,Token response,Trigger Token response,"Compliant if the JWT Refresh Token Payload contains the jti parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain 'jti' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked,OP,,Token response | body | refresh_token | payload | jti,The Refresh Token MUST contain the jti parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-refresh_token-payload-jti-type,Refresh Token,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the JWT Refresh Token Payload contains the jti parameter and it is in uuid4 format, not Compliant otherwise",/ manual: check type,Correct Input,Token response,Does the issued JWT Refresh Token contain a correct 'jti' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked. Its value (unique identifier of Refresh Token) must be based on uuid4 format,OP,,Token response | head | refresh_token | payload | jti | uuid4,The Refresh Token MUST contain the jti parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -o,OP-Token response-refresh_token-presence,Successful Token response,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the token response has the refresh_token parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the OP issue the refresh tokens when requested,"In this test an RP makes an authentication request with scope 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the refresh token.",OP,Authentication request | url | scope | openid offline_access | prompt | consent,Token response | body | refresh_token,"The Token response, if succesful, returns an ID Token, an Access Token and possibly a Refresh Token (if the authentication request has scope=offline_access)",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,M,Missing parameter,Are refresh tokens supported (HasRefreshTokens),,,,"Accesso L1 con protocollo -OIDC e scope valorizzato -openid profile email -offline_access","3.2.9, 3.2.10",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -o,OP-Token response-refresh_token-type,Successful Token response,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the refresh_token is a JWT, not Compliant otherwise",/ manual: check type,Correct Input,Token response,Does the OP issue a correct type of refresh tokens when requested,"In this test an RP makes an authentication request with scope 'openid offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain a JWT refresh token.",OP,Authentication request | url | scope | openid offline_access | prompt | consent,Token response | body | refresh_token | JWT,"The Token response, if succesful, returns an ID Token, an Access Token and possibly a Refresh Token (if the authentication request has scope=offline_access)",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,L,Type mismatch,Are refresh tokens supported (HasRefreshTokens),,,,"Accesso L1 con protocollo -OIDC e scope valorizzato -openid profile email -offline_access","3.2.9, 3.2.10",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Token response-id_token-payload-aud-value,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token has the aud parameter set to the RP's client ID, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Token response,Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id',"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'",RP,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | aud[0]",Entity Configuration response RP | body | [^\r\n]* | payload | iss | saved_iss,The JWT ID Token Payload requires the aud parameter and it must contain the RP's client_id,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Active,M,Mismatch of parameter,Is the token audience set (HasCorrectAudience),ID Token has aud claim,,,,"3.3.7, 3.3.8",,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token,Successful Token response,Token response,Trigger Token response,"Compliant if the token response has the access_token parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token response,Does the successful token response contain access token,The Token response is analyzed and the presence of the access token is checked,OP,,Token response | body | access_token,"If the Token request is correct, the succesful response sent by the OP must contain the access_token parameter, containing the issued access token",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Passive,M,Missing parameter,Are access token supported (HasAccessTokens) Are JWT access token used (HasJwtAccessTokens),,,P4_A,,"3.2.4, 3.2.5",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-correctly-issued,Access Token,Token response,Trigger Token response,"Compliant if the token response has the access_token parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token response,Does the OP issue the access tokens when requested,"In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.",OP,,Token response | body | access_token,The Access Token must be formed according to the standard iGov,SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Passive,M,Missing parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-header-alg,Access Token Header,Token response,Trigger Token response,"Compliant if the alg parameter in the Access Token Header is present, not compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT Access Token contain the 'alg' parameter in the Header,"In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked",OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | header | alg",The JWT Access Token Header requires the alg parameter,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Missing parameter,,,,,,3.4.0,Not present in the description but present in the example. I assumed the signature values,TRUE,,,no,"[""s1""]",E,,P,P,passed, @@ -840,9 +267,10 @@ x,OP-Token response-access_token-header-alg-value-correct,Access Token Header,To x,OP-Token response-access_token-header-alg-value-wrong,Access Token Header,Token response,Trigger Token response,"Compliant if the alg parameter in the Access Token Header contains a value among RS256 and RS512, not Compliant if it contains values among ['none', 'HS256', 'HS384', 'HS512'] or is empty",JWT parameter not in value,Correct Input,Token response,Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header,"In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.",OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | header | alg | [""none"", ""HS256"", ""HS384"", ""HS512""]",The JWT Access Token Header requires the alg parameter,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-header-kid,Access Token Header,Token response,Trigger Token response,"Compliant if the JWT Access Token Header has the kid parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT Access Token contain the 'kid' parameter in the Header,"The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.",OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | header | kid",The JWT Access Token Header requires the kid parameter,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Missing parameter,,,,,,3.4.2,Not present in the description but present in the example,TRUE,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-header-typ,Access Token Header,Token response,Trigger Token response,"Compliant if the JWT Access Token Header has the typ parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT Access Token contain the 'typ' parameter in the Header,The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.,OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | header | typ",The JWT Access Token Header requires the typ parameter and it must be set to 'at+jwt',SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Missing parameter,,,,,,,Not present in the description but present in the example,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-access_token-header-typ-value,Access Token Header,Token response,Trigger Token response,"Compliant if the Access Token Header has the typ parameter and it is set to 'at+jwt', not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Access Token contain the 'typ' parameter valid in the Header,"The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked. Moreover, its value must be set to 'at+jwt', if it is not, than the Access Token is not compliant",OP,,"Token Reponse | head | (?<=""access_token"": "")[^""]+ | header | typ | ""at+jwt""",The JWT Access Token Header requires the typ parameter and it must be set to 'at+jwt',SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Mismatch of parameter,,,,,,,Not present in the description but present in the example,FALSE,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-payload-aud,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload has the aud parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT Access Token contain the 'aud' parameter in the Payload,The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.,OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | payload | aud",The JWT Access Token Payload requires the aud parameter and it must contain the identifier of the resource server,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Missing parameter,,,,,,"3.4.6, 3.4.7",,TRUE,,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-id_token-header-alg-value-correct,ID Token Header,Token response,Trigger Token response,"Compliant if the ID Token Header has the alg parameter and contains one of the values in the OP's metadata, not compliant otherwise",/ manual: wrong value,Correct Input,Token response,Does the issued JWT ID Token contain a correct 'alg' parameter in the Header,"In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be an asymmetric algorithm between those defined in the 'id_token_signing_alg_values_supported' parameter of the OP's metadata",OP,OP's EC,,The JWT ID Token Header requires the alg parameter,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Mismatch of content,,Asymmetric ID Token signature with RS256,,,,3.3.0,Not present in the description of the ID Token but present in the example. I assumed the signature values,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-payload-aud-type,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload has the aud parameter set to the identifier of the intended resource server, not Compliant otherwise",JWT parameter type,Correct Input,Token response,Does the issued JWT Access Token contain a correct 'aud' parameter,The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server,OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | payload | | {""type"":""object"", ""properties"":{""aud"":{""type"":""array""}},""required"":[""aud""]}",The JWT Access Token Payload requires the aud parameter and it must contain the identifier of the resource server,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,L,Type mismatch,,,,,,"3.4.6, 3.4.7",,TRUE,,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Token response-access_token-payload-aud-value,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload has the aud parameter set to the UserInfo endpoint, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Access Token contain a correct 'aud' parameter,The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload should contain the UserInfo endpoint.,OP,,"Token response | body | (?<=\""access_token\"": \"")[^\""]+ | payload | aud[?(@ =~ /.*\/userinfo.*/)]",The JWT Access Token Payload requires the aud parameter and it must contain the UserInfo endpoint.,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Active,M,Missing parameter,,,,,,"3.4.6, 3.4.7",,TRUE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,"Non รจ presente il path completo, solo /oidc/op/userinfo" x,OP-Token response-access_token-payload-client_id,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload contains the client_id parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT Access Token contain the 'client_id' parameter in the Payload,The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.,OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | payload | client_id",The JWT Access Token Payload requires the client_id parameter. It MUST contain an HTTPS URL that uniquely identifies the RP.,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-payload-client_id-type,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload contains the client_id parameter as an HTTPS URL, not Compliant otherwise",JWT parameter type,Correct Input,Token response,Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url,The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.,OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | payload | | {""type"": ""object"", ""properties"": {""client_id"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""client_id""]}",The JWT Access Token Payload requires the client_id parameter. It MUST contain an HTTPS URL that uniquely identifies the RP.,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,,,no,"[""s1""]",E,Problema implementazione,P,F,failed,URL รจ HTTP non HTTPS x,OP-Token response-access_token-payload-client_id-value,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload contains the client_id parameter and its value identifies the RP, not Compliant otherwise",Param Check-Save to JWT,Correct Input,Token response,Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client,The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request,OP,Authentication request | url | client_id | auth_client_id,"Token response | body | (?<=""access_token"": "")[^""]+ | payload | client_id",The JWT Access Token Payload requires the client_id parameter. It MUST contain an HTTPS URL that uniquely identifies the RP.,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, @@ -852,6 +280,7 @@ x,OP-Token response-access_token-payload-iat,Access Token Payload,Token response x,OP-Token response-access_token-payload-iat-type,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload contains the iat claim and its value is a timestamp, not Compliant otherwise",JWT parameter type,Correct Input,Token response,Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload,The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.,OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | payload | | {""type"": ""object"", ""properties"": {""iat"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""iat""]}",The JWT Access Token Payload requires the iat parameter,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,L,Type mismatch,,,,,,"3.4.8, 3.4.9, 3.4.10",,TRUE,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-payload-iss,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload has the iss parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT Access Token contain the 'iss' parameter in the Payload,The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked,OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | payload | iss",The JWT Access Token Payload requires the iss parameter and it must be an HTTPS URL,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Missing parameter,,,,,,"3.4.3, 3.4.4, 3.4.5",,TRUE,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-payload-iss-type,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload has the iss parameter and it is an HTTPS URL, not Compliant otherwise",JWT parameter type,Correct Input,Token response,Does the issued JWT Access Token's 'iss' parameter contain an URL,"The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL",OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | payload | | {""type"": ""object"", ""properties"": {""iss"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""iss""]}",The JWT Access Token Payload requires the iss parameter and it must be an HTTPS URL,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,,,no,"[""s1""]",E,Problema implementazione,P,F,failed,URL รจ HTTP non HTTPS +x,OP-Token response-access_token-payload-iss-value,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload has the iss parameter equals to the URL of the OP, not Compliant otherwise",/ manual: wrong value,Correct Input,Token response,Does the issued JWT Access Token contain the 'iss' parameter in the Payload equals to the URL of the OP,The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter equals to the URL of the OP in the Payload is checked,OP,,,The JWT Access Token Payload requires the iss parameter equals to the URL of the OP,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Mismatch of content,,,,,,"3.4.3, 3.4.4, 3.4.5",,TRUE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-payload-jti,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload contains the jti parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT Access Token contain the 'jti' parameter in the Payload,The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.,OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | payload | jti",The JWT Access Token Payload requires the jti parameter,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Missing parameter,,,,,,3.4.14,,TRUE,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-payload-jti-type,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload contains the jti parameter in uuid4 format, not Compliant otherwise",JWT parameter type,Correct Input,Token response,Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format,The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.,OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | payload | | {""type"": ""object"", ""properties"": {""jti"": {""type"": ""string"", ""pattern"": ""^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$""}}, ""required"": [""jti""]}",The JWT Access Token Payload requires the jti parameter,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,L,Type mismatch,,,,,,3.4.14,,TRUE,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-payload-scope,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload contains the scope parameter and its value matches the value in the authentication request, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT Access Token contain the 'scope' parameter in the Payload,The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked,OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | payload | scope",The JWT Access Token Payload requires the scope parameter. It MUST match the value in the authentication request.,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, @@ -859,16 +288,24 @@ x,OP-Token response-access_token-payload-scope-value,Access Token Payload,Token x,OP-Token response-access_token-payload-sub,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload has the sub parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT Access Token contain the 'sub' parameter in the Payload,The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.,OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | payload | sub",The JWT Access Token Payload requires the sub parameter and it must be 'pairwise',SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-signature,Access Token,Token response,Trigger Token response,"Compliant if the signature of the Access Token is correctly verified using the OP's public key, not compliant otherwise",JWT signature check,Correct Input,Token response,Does the OP correctly sign the Access Token,"Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured",OP,,"Token response | body | (?<=""access_token"": "")[^""]+ | X_key_core_OP",The Access Token must be formed according to the standard iGov,SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,"3.2.5, 3.2.6",,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Token response-access_token-type,Successful Token response,Token response,Trigger Token response,"Compliant if the token response has a valid JWT access_token parameter, not Compliant otherwise",HTTP parameter type,Correct Input,Token response,Does the successful token response contain a valid access token,In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT,OP,,"Token response | body | (?<=""access_token"":\s?)""([\w\-]+\.[\w\-]+\.[\w\-]+)""","If the Token request is correct, the succesful response sent by the OP must contain the access_token parameter, containing the issued access token",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Passive,L,Type mismatch,Are access token supported (HasAccessTokens) Are JWT access token used (HasJwtAccessTokens),,,P4_A,,"3.2.4, 3.2.5",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-access_token-with-refresh-request,Token response to a request with grant_type set to refresh_token and a valid refresh_token ,Token response to a request with grant_type set to refresh_token and a valid refresh_token ,Token request with grant_type set to refresh_token and a valid refresh_token,"Compliant if the Token Response contains the Access Token, not compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the OP release Access Tokens with the use of refresh tokens,"In this test the offline_access flow is accomplished and a refresh token is obtained. After this, a new token request is done with 'grant_type=refresh_token' and the refresh token inserted in the 'refresh_token' parameter. The response must include the Access Token",OP,,,"The Refresh Token MUST NOT allow the requesting RP to obtain an ID Token, neither the one previously issued during authentication nor a new ID Token",SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Mismatch of parameter,,,,,,,,FALSE,x,,no,"[""s1"", ""s1.1""]",E,,P,P,passed, +o,OP-Token response-cache-control-value,Successful Token response,Token response,Trigger Token response,"Compliant if the token response has Cache-Control set to 'no-store', not Compliant otherwise",HTTP parameter presence_1,Correct Input,Token response,Does the token response have Cache-Control set to 'no-store',This test verifies the presence of Cache-Control set to 'no-store' in the token response.,OP,,Token response | head | Cache-Control | no-store,The error Token response must have Cache-Control set to 'no-store',SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,M,Presence of wrong parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro Cache-Control +o,OP-Token response-content_type-if_error,Successful error Token response,Token response,Trigger error Token response,"Compliant if the error token response has application/json set in Content-Type, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the Content-Type in a error token response set correctly?,This test verifies the head Content-Type set to application/json in the error token response.,OP,,,The error Token response must have the Content-Type head set to application/json.,SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-content_type-value,Successful Token response,Token response,Trigger Token response,"Compliant if the token response has application/json set in Content-Type, not Compliant otherwise",HTTP parameter value,Correct Input,Token response,Does the Content-Type in a token response set correctly?,This test verifies the head Content-Type set to application/json in the token response.,OP,,Token response | head | Content-Type | application/json,The Token response must have the Content-Type head set to application/json.,SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-correct-request,Correct token response,Token response,Trigger Token response,"Compliant if the response is a an HTTP 200 OK, not compliant otherwise",HTTP Status,Correct Input,Token response,Does the OP handle a correct token request,In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.,OP,,Token response | head | 200,Response example,SPID_CIE_OIDC#Token-response https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Passive,L,Wrong handling of status code,,,,,,"3.0.0, 3.2.1",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, +o,OP-Token response-error_description-if_error_grant_type,Successful error Token response,Token response,Trigger error Token response,"Compliant if the error token response has error_description parameter, not Compliant otherwise",/ manual: check type,Correct Input,Token response,Does the error token response have error_description parameter,This test verifies the presence of error_description parameter in the error token response.,OP,,,The error Token response must have error_description parameter,SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +o,OP-Token response-error-if_error,Successful error Token response,Token response,Trigger error Token response,"Compliant if the error token response has error parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the error token response have error parameter,This test verifies the presence of error parameter in the error token response.,OP,,,The error Token response must have error parameter,SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-error-value,Token Error response,Token response,Trigger Token response,"Compliant if the Token Response has the error parameter and it is set to a value among 'invalid_request', 'invalid_client', 'unsupported_grant_type', 'invalid_grant', 'server_error', or 'temporarily_unavailable'. Not Compliant otherwise",/ manual: wrong parameter,Correct Input,Token response,Does the Token error response contain a correct error parameter,"The Token error response is analyzed and the the error parameter in it is checked. It must have a value among 'invalid_request', 'invalid_client', 'unsupported_grant_type', 'invalid_grant', 'server_error', or 'temporarily_unavailable'",OP,,"Token response | body | error | [""invalid_request"", ""invalid_client"", ""unsupported_grant_type"", ""invalid_grant"", ""server_error"", ""temporarily_unavailable""]","If the Token Request (both ID Token and Refresh Token) is invalid or unauthorized, the OP constructs the error response. This response needs to have the error parameter with the error code ('invalid_request' or 'unauthorized_client')",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,M,Presence of wrong parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, o,OP-Token response-expires_in,Successful Token response,Token response,Trigger Token response,"Compliant if the token response has the expires_in parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token response,Does the OP issue the expires_in in a token response,"In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter",OP,,Token response | body | expires_in,"The Token response, if succesful, returns an ID Token, an Access Token and possibly a Refresh Token (if the authentication request has scope=offline_access)",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Passive,M,Missing parameter,Are refresh tokens supported (HasRefreshTokens),,,,"Accesso L1 con protocollo OIDC e scope valorizzato openid profile email offline_access","3.2.9, 3.2.10",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-grant_type-refresh,Token request,Token response,Token request with grant_type refresh token but missing the necessary refresh token in the body,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Token response,Does the OP accept a token request using the grant_type set to 'refresh_token' but without the necessary refresh token,"When an RP sends a token request using the refresh token, the OP must check the presence of the grant_type parameter in the request but also the presence of the refresh token. In order to check whether the OP accomplish this control, a token request without a refresh token is sent and the response analyzed",OP,,,An RP doing a Token Request using a refresh token must insert the grant_type parameter in the request with the value 'refresh_token' and the refresh_token parameter,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, o,OP-Token response-HTTP_status-value,Successful Token response,Token response,Trigger Token response,"Compliant if the HTTP status code of a token response is 200, not Compliant otherwise",HTTP Status,Correct Input,Token response,Does the HTTP status of a token response correct?,This test verifies whether the HTTP status of a token response is 200.,OP,,Token response | head | 200,The Token response must be an HTTP 200.,SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Passive,L,Wrong handling of status code,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token,Successful Token response,Token response,Trigger Token response,"Compliant if the token response has the id_token parameter containing a value in JWT format, not Compliant otherwise",HTTP parameter presence,Correct Input,Token response,Does the successful token response contain the ID token,The RP receiving the Token response and that sent a correct token request must check the presence of the ID token,OP,,Token response | body | id_token,"If the authorization request is correct, the succesfull response sent by the OP must contain the id_token parameter, containing the ID Token value in JWT format",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Passive,M,Missing parameter,,,,,,"3.2.14, 3.2.15",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-id_token-encryption,ID Token,Token response,Trigger Token response,"Compliant if the ID Token obtained in the Token Response is a nested signed and encrypted JWT, not compliant otherwise",/ manual: check signature,Correct Input,Token response,Does the OP encrypt the ID Token when the 'id_token_encrypted_response_alg' parameter is exposed in the RP's metadata,"To test this OP functionality, a flow is started using an RP that exposes the 'id_token_encrypted_response_alg' parameter. Once received the ID Token, it has to be not only signed but also encrypted",OP,,,If the RP exposes in its metadata the parameter id_token_encrypted_response_alg the OP MUST encrypt the ID Token. In this case the ID Token MUST be a nested signed and encrypted JWT,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro id_token_encrypted_response_alg x,OP-Token response-id_token-header-alg,ID Token Header,Token response,Trigger Token response,"Compliant if the ID Token Header has the alg parameter, not compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT ID Token contain a correct 'alg' parameter in the Header,"In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | header | alg",The JWT ID Token Header requires the alg parameter,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-access_token-payload-iss-value,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload has the iss parameter equals to the URL of the OP, not Compliant otherwise",/ manual: wrong value,Correct Input,Token response,Does the issued JWT Access Token contain the 'iss' parameter in the Payload equals to the URL of the OP,The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter equals to the URL of the OP in the Payload is checked,OP,,,The JWT Access Token Payload requires the iss parameter equals to the URL of the OP,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Mismatch of content,,,,,,"3.4.3, 3.4.4, 3.4.5",,TRUE,,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Token response-id_token-header-alg-value-correct,ID Token Header,Token response,Trigger Token response,"Compliant if the ID Token Header has the alg parameter and contains one of the values in the OP's metadata, not compliant otherwise",/ manual: wrong value,Correct Input,Token response,Does the issued JWT ID Token contain a correct 'alg' parameter in the Header,"In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be an asymmetric algorithm between those defined in the 'id_token_signing_alg_values_supported' parameter of the OP's metadata",OP,OP's EC,,The JWT ID Token Header requires the alg parameter,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Mismatch of content,,Asymmetric ID Token signature with RS256,,,,3.3.0,Not present in the description of the ID Token but present in the example. I assumed the signature values,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-header-alg-value-wrong,ID Token Header,Token response,Trigger Token response,"Not compliant if the alg parameter in the ID Token contains values among ['none', 'HS256', 'HS384', 'HS512'] or is empty",JWT parameter not in value,Correct Input,Token response,Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header,"In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | header | alg | [""none"", ""HS256"", ""HS384"", ""HS512""]",The JWT ID Token Header requires the alg parameter,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-header-kid,ID Token Header,Token response,Trigger Token response,"Compliant if the JWT ID Token Header has the kid parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT ID Token contain the 'kid' parameter in the Header,"The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | header | kid",The JWT ID Token Header requires the kid parameter,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Missing parameter,Are all required required claims present (HasRequiredClaims),ID Token has kid claim,,,,3.3.2,Not present in the description but present in the example,TRUE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-payload-acr,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the acr_value claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT ID Token contain the 'acr' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | acr",The JWT ID Token Payload requires the acr parameter,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Missing parameter,,Support acr_values request parameter,,,"Accesso L1 con protocollo @@ -877,7 +314,15 @@ opeind, profile e offline_access. Verifica degli attributi dell'User Info","3.3.9, 3.3.11",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-id_token-payload-acr-value,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the acr claim equal or higher than acr_values requested within the authorization request, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT ID Token contain the 'acr' parameter valid in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. It must be equal or superior to the acr send from the RP in the Authentication Request.",OP,,,The JWT ID Token Payload requires the acr parameter and must be set to the 'acr_value' that is satisfied by the OP in the Authentication Request,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Mismatch of parameter,,Support acr_values request parameter,,,"Accesso L1 con protocollo +OIDC e scope valorizzato +opeind, profile e +offline_access. Verifica +degli attributi dell'User +Info","3.3.9, 3.3.11",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, +o,OP-Token response-id_token-payload-acr-value-correct,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the acr claim and its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3'], not Compliant otherwise",JWT parameter JSON value,Correct Input,Token response,Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | acr | [""https://www.spid.gov.it/SpidL1"", ""https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL3""]","The JWT ID Token Payload requires the acr parameter and must be one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']",SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-payload-at_hash,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the at_hash parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does ID token payload contain the 'at_hash' parameter,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | at_hash",The JWT ID Token Payload requires the at_hash parameter and its value must match the Access Token returned with the Token ID,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Missing parameter,Is the at_hash claim present (IsAccessTokenHashPresent),,,,,"3.3.12, 3.3.13",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-id_token-payload-at_hash-value,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token's at_hash parameter value matches the Access Token returned with the Token ID, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does ID token payload contain a correct 'at_hash' parameter,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'at_hash' parameter in the Payload is checked. In particular, its value must match the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value the Access Token returned with the Token ID",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | at_hash",The JWT ID Token Payload requires the at_hash parameter and its value must match the Access Token returned with the Token ID. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Mismatch of parameter,,,,,,"3.3.12, 3.3.13",,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-payload-aud,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the aud parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT ID Token contain the 'aud' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | aud",The JWT ID Token Payload requires the aud parameter and it must contain the RP's client_id,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Missing parameter,Is the token audience set (HasCorrectAudience),ID Token has aud claim,,,,"3.3.7, 3.3.8",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-payload-exp,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the exp claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT ID Token contain the 'exp' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | exp",The JWT ID Token Payload requires the exp parameter,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Missing parameter,,,,,"Accesso L1 con protocollo OIDC e scope valorizzato @@ -885,11 +330,17 @@ opeind, profile e offline_access. Verifica degli attributi dell'User Info","3.3.19, 3.3.20",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-id_token-payload-exp-type,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the exp claim and its value is a timestamp, not Compliant otherwise",JWT parameter type,Correct Input,Token response,Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp",OP,,"Token response | body | (?<=id_token: "")([^""]+) | payload | | {""type"": ""object"", ""properties"": {""exp"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""exp""]}",The JWT ID Token Payload requires the exp parameter,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,L,Type mismatch,,,,,"Accesso L1 con protocollo +OIDC e scope valorizzato +opeind, profile e +offline_access. Verifica +degli attributi dell'User +Info","3.3.19, 3.3.20",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-payload-iat,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the iat claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT ID Token contain the 'iat' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | iat",The JWT ID Token Payload requires the iat parameter,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Missing parameter,Are all required required claims present (HasRequiredClaims),ID Token has iat claim,,,,"3.3.14, 3.3.15, 3.3.16",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-access_token-header-typ-value,Access Token Header,Token response,Trigger Token response,"Compliant if the Access Token Header has the typ parameter and it is set to 'at+jwt', not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Access Token contain the 'typ' parameter valid in the Header,"The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked. Moreover, its value must be set to 'at+jwt', if it is not, than the Access Token is not compliant",OP,,"Token Reponse | head | (?<=""access_token"": "")[^""]+ | header | typ | ""at+jwt""",The JWT Access Token Header requires the typ parameter and it must be set to 'at+jwt',SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,M,Mismatch of parameter,,,,,,,Not present in the description but present in the example,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-id_token-payload-iat-type,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the iat claim and its value is a timestamp, not Compliant otherwise",JWT parameter type,Correct Input,Token response,Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp",OP,,"Token response | body | (?<=id_token: "")([^""]+) | payload | | {""type"": ""object"", ""properties"": {""iat"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""iat""]}",The JWT ID Token Payload requires the iat parameter,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,L,Type mismatch,Are all required required claims present (HasRequiredClaims),ID Token has iat claim,,,,"3.3.14, 3.3.15, 3.3.16",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-payload-iss,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the iss parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT ID Token contain the 'iss' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | iss",The JWT ID Token Payload requires the iss parameter and it must be an HTTPS URL,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Missing parameter,Is the token issuer set (HasCorrectIssuer),ID Token has iss claim,,,,"3.3.3, 3.3.4, 3.3.5",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, o,OP-Token response-id_token-payload-iss-type,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the iss parameter as an HTTPS URL that identifies the OP, not Compliant otherwise",JWT parameter type,Correct Input,Token response,Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | | {""type"": ""object"", ""properties"": {""iss"": {""type"": ""string"", ""const"": ""X_https_OP""}}, ""required"":[""iss""]})",The JWT ID Token Payload requires the iss parameter and it must be an HTTPS URL,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,Is the token issuer set (HasCorrectIssuer),ID Token has iss claim,,,,"3.3.3, 3.3.4, 3.3.5",,TRUE,x,,no,"[""s1""]",E,Problema implementazione,P,F,failed,URL รจ HTTP non HTTPS -o,OP-Token response-content_type-if_error,Successful error Token response,Token response,Trigger error Token response,"Compliant if the error token response has application/json set in Content-Type, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the Content-Type in a error token response set correctly?,This test verifies the head Content-Type set to application/json in the error token response.,OP,,,The error Token response must have the Content-Type head set to application/json.,SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +o,OP-Token response-id_token-payload-iss-value,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the iss parameter equals to the URL of the OP, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Token response,Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP",OP,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | iss",Entity Configuration response OP | body | [^\r\n]* | payload | iss | saved_iss,The JWT ID Token Payload requires the iss parameter and it must be equal to the URL of the OP,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-payload-jti,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the jti claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT ID Token contain the 'jti' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | jti",The JWT ID Token Payload requires the jti parameter,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Missing parameter,,,,,"Accesso L1 con protocollo OIDC e scope valorizzato opeind, profile e @@ -897,30 +348,44 @@ offline_access. Verifica degli attributi dell'User Info",3.3.23,,TRUE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-payload-nonce,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the nonce claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT ID Token contain the 'nonce' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | nonce",The JWT ID Token Payload requires the nonce parameter and it must be set to the nonce value sent in the Authentication Request,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Missing parameter,Is the nonce present in the ID token (NoncePresentInToken),ID Token has nonce when requested for code flow,,,,"3.3.24, 3.3.25",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -o,OP-Token response-error-if_error,Successful error Token response,Token response,Trigger error Token response,"Compliant if the error token response has error parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the error token response have error parameter,This test verifies the presence of error parameter in the error token response.,OP,,,The error Token response must have error parameter,SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-id_token-payload-nonce-value,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the nonce claim and its value is the same as the nonce in the Authentication Request made before, not Compliant otherwise",/ manual: wrong parameter,Correct Input,Token response,Does the issued JWT ID Token contain the 'nonce' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked. In particular, its value must be set to the 'nonce' value set in the Authentication Request",OP,,,The JWT ID Token Payload requires the nonce parameter and it must be set to the nonce value sent in the Authentication Request,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Presence of wrong parameter,Is the nonce present in the ID token (NoncePresentInToken),ID Token has nonce when requested for code flow,,,,"3.3.24, 3.3.25",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-payload-sub,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the sub parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Token response,Does the issued JWT ID Token contain the 'sub' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | sub",The JWT ID Token Payload requires the sub parameter and it must be 'pairwise',SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Missing parameter,Are all required required claims present (HasRequiredClaims),ID Token has sub claim,,,,3.3.6,,TRUE,x,,no,"[""s1""]",E,,P,P,passed, o,OP-Token response-id_token-payload-sub-type,ID Token Payload,Token response,Trigger Token response,"Compliant if the sub parameter in the ID Token is a string, not Compliant otherwise",JWT parameter type,Correct Input,Token response,Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | | {""type"": ""object"", ""properties"": {""sub"": {""type"": ""string"", ""pattern"": ""^[0-9a-f]{64}$""}}, ""required"": [""sub""]}",The JWT ID Token Payload requires the sub parameter and it must be a string of type pairwise,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,L,Type mismatch,Are all required required claims present (HasRequiredClaims),ID Token has sub claim,,,,3.3.6,,TRUE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-signature,ID Token,Token response,Trigger Token response,"Compliant if the signature part of the ID Token is correctly verified using the OP's public key, not compliant otherwise",JWT signature check,Correct Input,Token response,Does the OP correctly sign the ID Token,"Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | X_key_core_OP",The ID Token is a JSON Web Token (JWT) that contains information on the user that has executed the authentication.,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,Is the ID token signed (IsSigned),Does the OP sign the ID Token and with what,,,,3.2.16,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Token response-id_token-type,Successful Token response,Token response,Trigger Token response,"Compliant if the token response has a valid JWT id_token parameter, not Compliant otherwise",HTTP parameter type,Correct Input,Token response,Does the successful token response contain a valid ID token,The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token,OP,,"Token response | body | (?<=""id_token"":\s?)""([\w\-]+\.[\w\-]+\.[\w\-]+)""","If the authorization request is correct, the succesfull response sent by the OP must contain the id_token parameter, containing the ID Token value in JWT format",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Passive,L,Type mismatch,,,,,,"3.2.14, 3.2.15",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-id_token-payload-at_hash-value,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token's at_hash parameter value matches the Access Token returned with the Token ID, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does ID token payload contain a correct 'at_hash' parameter,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'at_hash' parameter in the Payload is checked. In particular, its value must match the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value the Access Token returned with the Token ID",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | at_hash",The JWT ID Token Payload requires the at_hash parameter and its value must match the Access Token returned with the Token ID. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Mismatch of parameter,,,,,,"3.3.12, 3.3.13",,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Token response-id_token-payload-acr-value,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the acr claim equal or higher than acr_values requested within the authorization request, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT ID Token contain the 'acr' parameter valid in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. It must be equal or superior to the acr send from the RP in the Authentication Request.",OP,,,The JWT ID Token Payload requires the acr parameter and must be set to the 'acr_value' that is satisfied by the OP in the Authentication Request,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Mismatch of parameter,,Support acr_values request parameter,,,"Accesso L1 con protocollo -OIDC e scope valorizzato -opeind, profile e -offline_access. Verifica -degli attributi dell'User -Info","3.3.9, 3.3.11",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -o,OP-Token response-id_token-payload-acr-value-correct,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the acr claim and its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3'], not Compliant otherwise",JWT parameter JSON value,Correct Input,Token response,Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | acr | [""https://www.spid.gov.it/SpidL1"", ""https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL3""]","The JWT ID Token Payload requires the acr parameter and must be one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']",SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-id_token-payload-exp-type,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the exp claim and its value is a timestamp, not Compliant otherwise",JWT parameter type,Correct Input,Token response,Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp",OP,,"Token response | body | (?<=id_token: "")([^""]+) | payload | | {""type"": ""object"", ""properties"": {""exp"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""exp""]}",The JWT ID Token Payload requires the exp parameter,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,L,Type mismatch,,,,,"Accesso L1 con protocollo -OIDC e scope valorizzato -opeind, profile e -offline_access. Verifica -degli attributi dell'User -Info","3.3.19, 3.3.20",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-id_token-payload-iat-type,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the iat claim and its value is a timestamp, not Compliant otherwise",JWT parameter type,Correct Input,Token response,Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp",OP,,"Token response | body | (?<=id_token: "")([^""]+) | payload | | {""type"": ""object"", ""properties"": {""iat"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""iat""]}",The JWT ID Token Payload requires the iat parameter,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,L,Type mismatch,Are all required required claims present (HasRequiredClaims),ID Token has iat claim,,,,"3.3.14, 3.3.15, 3.3.16",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -o,OP-Token response-id_token-payload-iss-value,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the iss parameter equals to the URL of the OP, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Token response,Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP",OP,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | iss",Entity Configuration response OP | body | [^\r\n]* | payload | iss | saved_iss,The JWT ID Token Payload requires the iss parameter and it must be equal to the URL of the OP,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Token response-id_token-with-refresh-request,Token Response containing refresh_token,Token Response,Token request with grant_type set to refresh_token and a valid refresh_token ,"Compliant if the Token Response does not contain the ID Token, not compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the OP release ID Tokens with the use of refresh tokens,"In this test the offline_access flow is accomplished and a refresh token is obtained. After this, a new token request is done with 'grant_type=refresh_token' and the refresh token inserted in the 'refresh_token' parameter. The response must not include the ID Token",OP,,,"The Refresh Token MUST NOT allow the requesting RP to obtain an ID Token, neither the one previously issued during authentication nor a new ID Token",SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Mismatch of parameter,,,,,,,,FALSE,x,,no,"[""s1"", ""s1.1""]",E,,F,P,passed,id_token รจ presente +x,OP-Token response-refresh_token_signature,Refresh token,Token response,Authentication request with scope offline_access and prompt contains consent,"Compliant if the signature of the Refresh token is correctly verified using the OP's public key, not compliant otherwise",/ manual: check signature,Correct Input,Token response,Does the OP correctly sign the Refresh Token,"Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test an offline_access flow is performed and the obtained Refresh token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the Refresh token is passed to a signature verifier correctly configured",OP,,Token response | body | refresh_token | XXX,The Refresh Token MUST be a signed JWT,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,3.2.11,,TRUE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-refresh_token_wrongly_issued,Token Response without refresh_token,Token Response,Authentication request with scope profile and prompt contains consent,"Compliant if the token response does not contain the refresh_token parameter, not Compliant otherwise",HTTP parameter not present,Correct Input,Token response,Does the OP issue refresh tokens even when it is not supposed to,"In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.",OP,,Token response | body | refresh_token,"The Token response, if succesful, returns an ID Token, an Access Token and possibly a Refresh Token (if the authentication request has scope=offline_access and prompt=consent)",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,M,Presence of wrong parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Token response-refresh_token-after-access_token-revocation,Token Response,Token Response to a request with refresh token ,Token request with grant_type set to refresh_token and a refresh_token whose corresponding access_token was revoked,"Compliant if the OP sends a successful token response, not compliant otherwise",/ manual: check flow,Correct Input,Token response,Does the OP revoke the Refresh Token when revoking an Access Token,"In order to test if the OP revokes a refresh token together with the access token revocation, a classic authentication flow is computed and, once obtained the access token and the refresh token, the access token is used to login. Finally, a logout is performed (thus revocating the access token), a token request using the refresh token is accomplished and the OP's response analyzed.",OP,,,The Access Token revocation MUST NOT imply revoking all the Refresh Tokens linked to it.,SPID_CIE_OIDC#revocation-endpoint; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html,OIDC Core,Passive,L,Incorrect handling,Are refresh tokens revoked after access token revocation (AccessRevokesRefresh),,,,,,"The OAuch outcome is in contrast with ours and with the one in the specification: for OAuch if the related refresh token is revoked, than this is compliant, in the CIE scenario it is not",TRUE,x,,yes,"[""s1"", ""s1.1""]",E,,P,P,passed, +x,OP-Token response-refresh_token-already-used,Token Response,Token Response to a request with an already-used refresh token ,Token request with offline_access grant type and an already-used refresh token in it,"Compliant if the Token Response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Token response,Does the OP invalidate already-used refresh tokens,"A Token Request with the grant_type=refresh_token and the refresh token in it is sent. Even if the response will contain a new access token and a new refresh token, the next step is trying to refresh again the access token with the already-used refresh token and analyze the response",OP,,,"For security reasons, an OP MUST return, along with a new Access Token, also a new Refresh Token, invalidating all previously issued tokens (refresh token rotation) to the RP and related to the end-user",SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Is the active refresh token revoked after a multi-exchange (InvalidatedRefreshToken),,test_grant_refresh_token_two_times,,,,,TRUE,x,,yes,"[""s1"", ""s1.1"", ""s1.2""]",E,,P,P,passed, +x,OP-Token response-refresh_token-correct-signature,Successful Token response,Token response,Authentication request with scope offline_access and prompt contains consent,"Compliant if the refresh_token obtained in the token response is a valid JWT, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the OP issue valid refresh tokens,"In this test an RP makes an authentication request with scope offline_access and the parameter prompt set to consent. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain a valid refresh token. Once obtained, the token must be validated with the proper validation algorithm and public key",OP,Authentication request | url | scope | openid offline_access | prompt | consent,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | XXX","The Token response, if succesful, returns an ID Token, an Access Token and possibly a Refresh Token (if the authentication request has scope=offline_access and prompt=consent)",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,L,Type mismatch,Are refresh tokens supported (HasRefreshTokens),,,,"Accesso L1 con protocollo +OIDC e scope valorizzato +openid profile email +offline_access","3.2.9, 3.2.10",,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +o,OP-Token response-refresh_token-header-alg,Refresh Token Header,Token response,Trigger Token response,"Compliant if the alg parameter in the Refresh Token Header is present, not compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain the 'alg' parameter in the Header,"In this test, the Refresh Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked",OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | header | alg",The JWT Refresh Token Header requires the alg parameter,SPID_CIE_OIDC#Token-Endpoint-Refresh-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, +o,OP-Token response-refresh_token-header-alg-value-correct,Refresh Token Header,Token response,Trigger Token response,"Compliant if the alg parameter in the Refresh Token Header contains a value among RS256 and RS512, not compliant otherwise ",/ manual: check content,Correct Input,Token response,Does the issued JWT Refresh Token contain a correct 'alg' parameter in the Header,"In this test, the Refresh Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']",OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | header | alg | [""RS256"", ""RS512""]",The JWT Refresh Token Header requires the alg parameter,SPID_CIE_OIDC#Token-Endpoint-Refresh-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,H,Mismatch of content,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, +o,OP-Token response-refresh_token-header-alg-value-wrong,Refresh Token Header,Token response,Trigger Token response,"Compliant if the alg parameter in the Refresh Token Header contains a value among RS256 and RS512, not Compliant if it contains values among ['none', 'HS256', 'HS384', 'HS512'] or is empty",/ manual: wrong parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain a wrong 'alg' parameter in the Header,"In this test, the Refresh Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.",OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | header | alg | [""none"", ""HS256"", ""HS384"", ""HS512""]",The JWT Refresh Token Header requires the alg parameter,SPID_CIE_OIDC#Token-Endpoint-Refresh-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,H,Presence of a wrong parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-refresh_token-payload-aud-presence,Refresh Token Payload,Token response,Trigger Token response,"Compliant if the JWT Refresh Token Payload has the aud parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain the 'aud' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.,OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | payload | aud",The Refresh Token MUST contain the aud parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-refresh_token-payload-aud-type,Access Token Payload,Token response,Trigger Token response,"Compliant if the JWT Access Token Payload has the aud parameter set to a list, not Compliant otherwise",/ manual: check type,Correct Input,Token response,Does the issued JWT Access Token contain a correct type of 'aud' parameter,The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is a list.,OP,,"Token response | body | (?<=""refresh_token"": "")[^""]+ | payload | aud | ^\[\s*""[^""]*""(?:,\s*""[^""]*"")*\s*\]$",The JWT Access Token Payload requires the aud parameter and it must contain the identifier of the resource server and at least the UserInfo endpoint.,SPID_CIE_OIDC#Token-Endpoint-Access-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#access-token,OIDC Core,Passive,L,Type mismatch,,,,,,"3.4.6, 3.4.7",,TRUE,,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Token response-refresh_token-payload-aud-value,Refresh Token,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the JWT Refresh Token Payload has the aud parameter set to the Token Endpoint, not Compliant otherwise",/ manual: wrong parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain correct 'aud' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload set to the Token Endpoint taken from the Entity Configuration OP.,OP,,"Token response | head | (?<=\""refresh_token\"": \"")[^\""]+ | payload | aud[?(@ =~ /.*\/userinfo.*/)]",The JWT Refresh Token Payload requires the aud parameter and it must contain the Token Endpoint.,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,"il valore salvato del token_endpoint รจ ""http://cie-provider.org:8002/oidc/op/token"", mentre quello in aud รจ ""http://relying-party.org:8001""" +x,OP-Token response-refresh_token-payload-exp-presence,Refresh Token Payload,Token response,Trigger Token response,"Compliant if the JWT Refresh Token Payload contains the exp parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain correct 'exp' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked,OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | payload | exp",The Refresh Token MUST contain the exp parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-refresh_token-payload-exp-type,Refresh Token,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the JWT Refresh Token Payload contains the exp parameter which is a timestamp, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain correct type of 'exp' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the value of the 'exp' parameter in the Payload is a timestamp,OP,,"Token response | head | (?<=\""refresh_token\"": \"")[^\""]+ | payload | exp | timestamp",The Refresh Token MUST contain the exp parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-refresh_token-payload-iat-presence,Refresh Token Payload,Token response,Trigger Token response,"Compliant if the JWT Refresh Token Payload contains the iat claim, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain 'iat' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked,OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | payload | iat",The Refresh Token MUST contain the iat parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-refresh_token-payload-iat-type,Refresh Token,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the JWT Refresh Token Payload contains the iat claim and its value is a timestamp, not Compliant otherwise",/ manual: check type,Correct Input,Token response,Does the issued JWT Refresh Token contain 'iat' parameter in the Payload,"The Refresh Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp",OP,,"Token response | head | (?<=\""refresh_token\"": \"")[^\""]+ | payload | iat | timestamp",The Refresh Token MUST contain the iat parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-refresh_token-payload-iss-presence,Refresh Token Payload,Token response,Trigger Token response,"Compliant if the JWT Refresh Token Payload has the iss parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain the 'iss' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked.,OP,,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | payload | iss",The Refresh Token MUST contain the iss parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-refresh_token-payload-iss-type,Refresh Token,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the iss parameter in the JWT Refresh Token Payload contains an HTTPS URL identifying the OP, not Compliant otherwise",/ manual: check type,Correct Input,Token response,Does the issued JWT Refresh Token contain correct 'iss' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the value of the 'iss' parameter is an HTTPS URL.,OP,,"Token response | head | (?<=\""refresh_token\"": \"")[^\""]+ | payload | iss | url",The Refresh Token MUST contain the iss parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-refresh_token-payload-iss-value,Refresh Token Payload,Token response,Trigger Token response,"Compliant if the JWT Refresh Token Payload has the iss parameter equal to the URL of the OP, not Compliant otherwise",/ manual: wrong parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain the 'iss' parameter in the Payload equal to the URL of the OP,The Refresh Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked equal to the URL of the OP,OP,,,The Refresh Token MUST contain the iss parameter equal to the URL of the OP,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,OP-Token response-refresh_token-payload-jti-presence,Refresh Token Payload,Token response,Trigger Token response,"Compliant if the JWT Refresh Token Payload contains the jti parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain 'jti' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked,OP,,Token response | body | refresh_token | payload | jti,The Refresh Token MUST contain the jti parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-refresh_token-payload-jti-type,Refresh Token,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the JWT Refresh Token Payload contains the jti parameter and it is in uuid4 format, not Compliant otherwise",/ manual: check type,Correct Input,Token response,Does the issued JWT Refresh Token contain a correct 'jti' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked. Its value (unique identifier of Refresh Token) must be based on uuid4 format,OP,,Token response | head | refresh_token | payload | jti | uuid4,The Refresh Token MUST contain the jti parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +o,OP-Token response-refresh_token-presence,Successful Token response,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the token response has the refresh_token parameter, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the OP issue the refresh tokens when requested,"In this test an RP makes an authentication request with scope 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the refresh token.",OP,Authentication request | url | scope | openid offline_access | prompt | consent,Token response | body | refresh_token,"The Token response, if succesful, returns an ID Token, an Access Token and possibly a Refresh Token (if the authentication request has scope=offline_access)",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,M,Missing parameter,Are refresh tokens supported (HasRefreshTokens),,,,"Accesso L1 con protocollo +OIDC e scope valorizzato +openid profile email +offline_access","3.2.9, 3.2.10",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, +o,OP-Token response-refresh_token-type,Successful Token response,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the refresh_token is a JWT, not Compliant otherwise",/ manual: check type,Correct Input,Token response,Does the OP issue a correct type of refresh tokens when requested,"In this test an RP makes an authentication request with scope 'openid offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain a JWT refresh token.",OP,Authentication request | url | scope | openid offline_access | prompt | consent,Token response | body | refresh_token | JWT,"The Token response, if succesful, returns an ID Token, an Access Token and possibly a Refresh Token (if the authentication request has scope=offline_access)",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,L,Type mismatch,Are refresh tokens supported (HasRefreshTokens),,,,"Accesso L1 con protocollo +OIDC e scope valorizzato +openid profile email +offline_access","3.2.9, 3.2.10",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-require-assertion-iss,Token response,Token response,Token request with a client assertion without iss claim,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Token response,Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response,In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.,OP,Token request | body | (?<=client_assertion=)([^&]+) | payload | iss | | X_key_core_RP,Token response | head | 400 | body | invalid_request,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the iss claim. This claim must be set to the client ID of the RP creating the request.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Ritorna 403 unauthorized_client x,OP-Token response-require-assertion-sub,Token response,Token response,Token request with a client assertion without sub claim,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Token response,Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response,In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing,OP,Token request | body | (?<=client_assertion=)([^&]+) | payload | sub | | X_key_core_RP,Token response | head | 400 | body | invalid_request,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the sub claim. This claim must be set to the client ID of the RP creating the request.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 unauthorized_client x,OP-Token response-require-client_assertion,Token request without the client_assertion parameter,Token response to a request without the client_assertion,Token request without the client_assertion parameter in the body,"Compliant if the Token response is an HTTP 401 because of invalid_client, not compliant otherwise",Param Response,Wrong Input,Token response,Does the token response to a token request made without the client_assertion parameter return a Token Error response,This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.,OP,Token request | body | (?<=client_assertion=)([^&]+) | ,Token response | head | 401 | body | invalid_client,An RP doing a Token Request must insert the client_assertion parameter in the request,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Is JWT authentication implemented (SupportsJwtClientAuthentication),,,,,,,TRUE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 invalid_request x,OP-Token response-require-client_assertion_type,Token request without the client_assertion_type parameter,Token response to a request without the client_assertion_type parameter,Token request without the client_assertion_type parameter in the body,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Token response,Does the token response to a token request made without the client_assertion_type parameter return a Token Error response,This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.,OP,Token request | body | (?<=client_assertion_type=)([^&]+) | ,Token response | head | 400 | body | invalid_request,An RP doing a Token Request must insert the client_assertion_type parameter in the request and it must be set to 'urn:ietf:params:oauth:client-assertion-type:jwtbearer',SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, @@ -930,12 +395,13 @@ x,OP-Token response-require-code_verifier,Token request without the code_verifie x,OP-Token response-require-grant_type,Token request without the grant_type parameter,Token response to a request without the grant_type parameter,Token request without the grant_type parameter in the body,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Token response,Does the token response to a token request made without the grant_type parameter return a Token Error response,This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.,OP,Token request | body | (?<=grant_type=)([^&]+) | ,Token response | head | 400 | body | invalid_request,An RP doing a Token Request must insert the grant_type parameter in the request with the value 'authorization_code',SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-token_type,Successful Token response,Token response,Trigger Token response,"Compliant if the token response has the token_type parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token response,Does the successful token response contain the token type,The RP receiving the Token response and that sent a correct token request must check the presence of the token type,OP,,Token response | body | token_type,"If the authorization request is correct, the succesfull response sent by the OP must contain the token_type parameter set to 'Bearer'",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Passive,M,Missing parameter,,,,,,"3.2.7, 3.2.8",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, o,OP-Token response-token_type-value,Successful Token response,Token response,Trigger Token response,"Compliant if the token_type value in token response is Bearer, not Compliant otherwise",HTTP parameter value,Correct Input,Token response,Does the token_type of a token response set correctly?,This test verifies whether the token_type of a token response is Bearer.,OP,,Token response | body | token_type | Bearer,The token_type of a Token response must be Bearer.,SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-refresh_token-payload-iss-type,Refresh Token,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the iss parameter in the JWT Refresh Token Payload contains an HTTPS URL identifying the OP, not Compliant otherwise",/ manual: check type,Correct Input,Token response,Does the issued JWT Refresh Token contain correct 'iss' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the value of the 'iss' parameter is an HTTPS URL.,OP,,"Token response | head | (?<=\""refresh_token\"": \"")[^\""]+ | payload | iss | url",The Refresh Token MUST contain the iss parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,OP-Token response-token-rotation,Token Response,Token Response to a request with refresh token ,Token request with offline_access grant type and a valid refresh token in it,"Compliant if the response has a new refresh token, not compliant otherwise",/ manual: check content,Correct Input,Token response,Does the OP use token rotation,A Token Request with the grant_type=refresh_token and the refresh token in it is sent. The response must contain a new refresh token.,OP,,,"For security reasons, an OP MUST return, along with a new Access Token, also a new Refresh Token, invalidating all previously issued tokens (refresh token rotation) to the RP and related to the end-user",SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Active,M,Mismatch of content,Is refresh token rotation used (UsesTokenRotation),,,,Accesso L1 con protocollo OIDC e scope valorizzato openid e offline_access. Verifica della Refresh Token Rotation,,,TRUE,x,,yes,"[""s1"", ""s1.1""]",E,,P,P,passed, +x,OP-Token response-url-missing-client_id,Token response,Token response,Token request without the client_id parameter in the URL,"Compliant if the Token Response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Token response,Does the OP check the client_id in the request,In this test the client_id parameter in the URL of the token request is removed and the response analyzed,OP,Token request | body | (?<=client_id=)([^&]+) | ,Token response | head | 400 | body | invalid_request,An RP doing a Token Request must insert the client_id parameter in the request and it has to be an HTTPS URL,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, x,OP-Token response-wrong-assertion-aud,Token response,Token response,Token request with a client assertion without the URL of the OP's token endpoint in the aud claim,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Token response,Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response,In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint,OP,Token request | body | (?<=client_assertion=)([^&]+) | payload | aud | https://www.example.com | X_key_core_RP,Token response | head | 400 | body | invalid_request,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the aud claim. This claim must be set to the URL of the OPโ€™s Token Endpoint.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 unauthorized_client x,OP-Token response-wrong-assertion-exp,Token response,Token response,Token request with a client assertion with an expiration time (exp) set before the request,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Token response,Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response,"In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong",OP,Token request | body | (?<=client_assertion=)([^&]+) | payload | exp | 1681716340 | X_key_core_RP,Token response | head | 400 | body | invalid_request,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the exp claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Ritorna 403 unauthorized_client x,OP-Token response-wrong-assertion-iat,Token response,Token response,Token request with a client assertion with an issued time (iat) set after the request,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Token response,Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response,"In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong",OP,Token request | body | (?<=client_assertion=)([^&]+) | payload | iat | 1681716340 | X_key_core_RP,Token response | head | 400 | body | invalid_request,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the iat claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 -x,OP-Token response-refresh_token-payload-iss-value,Refresh Token Payload,Token response,Trigger Token response,"Compliant if the JWT Refresh Token Payload has the iss parameter equal to the URL of the OP, not Compliant otherwise",/ manual: wrong parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain the 'iss' parameter in the Payload equal to the URL of the OP,The Refresh Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked equal to the URL of the OP,OP,,,The Refresh Token MUST contain the iss parameter equal to the URL of the OP,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Token response-access_token-with-refresh-request,Token response to a request with grant_type set to refresh_token and a valid refresh_token ,Token response to a request with grant_type set to refresh_token and a valid refresh_token ,Token request with grant_type set to refresh_token and a valid refresh_token,"Compliant if the Token Response contains the Access Token, not compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the OP release Access Tokens with the use of refresh tokens,"In this test the offline_access flow is accomplished and a refresh token is obtained. After this, a new token request is done with 'grant_type=refresh_token' and the refresh token inserted in the 'refresh_token' parameter. The response must include the Access Token",OP,,,"The Refresh Token MUST NOT allow the requesting RP to obtain an ID Token, neither the one previously issued during authentication nor a new ID Token",SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Mismatch of parameter,,,,,,,,FALSE,x,,no,"[""s1"", ""s1.1""]",E,,P,P,passed, +x,OP-Token response-wrong-assertion-iss,Token response,Token response,Token request with a client assertion with the iss claim not set to the RP's client ID,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Token response,Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response,In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID,OP,Token request | body | (?<=client_assertion=)([^&]+) | payload | iss | https://www.example.com/ | X_key_core_RP,Token response | head | 400 | body | invalid_request,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the iss claim. This claim must be set to the client ID of the RP creating the request.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Ritorna 403 unauthorized_client +x,OP-Token response-wrong-assertion-jti,Token response to a request with a client assertion with a jti already used,Token response to a request with a client assertion with a jti already used,Token request with a client assertion with a jti already used in the life time of the JWT (JWT replay),"Compliant if the Token Response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Token response,Does the token response to a token request made with a client_assertion parameter containing an already used jti in the JWT return a Token Error response,In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the jti has already been used.,OP,,Token response | head | 400 | Token response | body | invalid_request,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the jti claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,no,"[""s1-revoked"", ""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 x,OP-Token response-wrong-assertion-signature,Token request with a wrong signature,Token response to a request with a client_assertion with a wrong signature,Token request with a client_assertion parameter in the body with a wrong signature,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",Signature JWT Response,Wrong Input,Token response,Does the token response to a token request made with a wrong signature return a Token Error response,"In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed",OP,Token request | body | (?<=client_assertion=)([^&]+) | X_wrong_key,Token response | head | 400 | body | invalid_request,The client assertion parameter is a JWT signed with the Relying Party's private key,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 unauthorized_client x,OP-Token response-wrong-assertion-signature-key,Token response to a request with a client assertion signed with a wrong key,Token response to a request with a client assertion signed with a wrong key,Token Request with the client_assertion parameter in the url being a JWT with a wrongly signed signature,"Compliant if the Token Response is an HTTP 400 because of invalid_request, not compliant otherwise",Signature JWT Response,Wrong Input,Token response,Does the OP's token endpoint refuse assertions signed with a wrong key,"In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed",OP,Token request | body | (?<=client_assertion=)([^&]+) | X_wrong_key,Token response | head | 400 | body | invalid_request,The client assertion parameter is a JWT signed with the Relying Party's private key,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 unauthorized_client x,OP-Token response-wrong-assertion-sub,Token response,Token response,Token request with a client assertion with sub claim not set to the RP's client ID,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Token response,Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response,In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID,OP,Token request | body | (?<=client_assertion=)([^&]+) | payload | sub | https://www.example.com | X_key_core_RP,Token response | head | 400 | body | invalid_request,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the sub claim. This claim must be set to the client ID of the RP creating the request.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 unauthorized_client @@ -943,43 +409,13 @@ x,OP-Token response-wrong-client_assertion_type,Token request with a wrong clien x,OP-Token response-wrong-code,Token request with a wrong code parameter,Token response to a request with a wrong code parameter,Token request with a wrong code parameter in the body,"Compliant if the Token response is an HTTP 400 because of invalid_grant, not compliant otherwise",Param Response,Wrong Input,Token response,"Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response",This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.,OP,Token request | body | (?<=code=)([^&]+) | X_wrong_code,Token response | head | 400 | body | invalid_grant,An RP doing a Token Request must insert the code parameter in the request,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Is the authorization code bound to the client (IsCodeBoundToClient),,,,,,Is it bound or not?,TRUE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 x,OP-Token response-wrong-code_verifier,Token request with a wrong code_verifier parameter,Token response to a request with a wrong code_verifier parameter,Token request with a wrong code_verifier parameter in the body,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Token response,Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response,This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.,OP,Token request | body | (?<=code_verifier=)([^&]+) | X_wrong_code,Token response | head | 400 | body | invalid_request,An RP doing a Token Request must insert the code_verifier parameter in the request,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 x,OP-Token response-wrong-grant_type-value,Token response,Token response to a request with a wrong grant_type parameter,Token request with the grant_type parameter in the body set to example,"Compliant if the Token response is an HTTP 400 because of unsupported_grant_type, not compliant otherwise",Param Response,Wrong Input,Token response,Does the OP checks that the token request contains the grant_type parameter set correctly,"In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response",OP,Token request | body | (?<=grant_type=)([^&]+) | example,Token response | head | 400 | body | unsupported_grant_type,"An RP doing a Token Request must set the grant_type parameter in the request to 'authorization_code', than it must contain the code and the code_verifier",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 invalid_request -x,OP-Token response-grant_type-refresh,Token request,Token response,Token request with grant_type refresh token but missing the necessary refresh token in the body,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Token response,Does the OP accept a token request using the grant_type set to 'refresh_token' but without the necessary refresh token,"When an RP sends a token request using the refresh token, the OP must check the presence of the grant_type parameter in the request but also the presence of the refresh token. In order to check whether the OP accomplish this control, a token request without a refresh token is sent and the response analyzed",OP,,,An RP doing a Token Request using a refresh token must insert the grant_type parameter in the request with the value 'refresh_token' and the refresh_token parameter,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Token response-refresh_token-payload-aud-value,Refresh Token,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the JWT Refresh Token Payload has the aud parameter set to the Token Endpoint, not Compliant otherwise",/ manual: wrong parameter,Correct Input,Token response,Does the issued JWT Refresh Token contain correct 'aud' parameter in the Payload,The Refresh Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload set to the Token Endpoint taken from the Entity Configuration OP.,OP,,"Token response | head | (?<=\""refresh_token\"": \"")[^\""]+ | payload | aud[?(@ =~ /.*\/userinfo.*/)]",The JWT Refresh Token Payload requires the aud parameter and it must contain the Token Endpoint.,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,"il valore salvato del token_endpoint รจ ""http://cie-provider.org:8002/oidc/op/token"", mentre quello in aud รจ ""http://relying-party.org:8001""" -x,OP-Token response-require-assertion-iss,Token response,Token response,Token request with a client assertion without iss claim,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Token response,Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response,In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.,OP,Token request | body | (?<=client_assertion=)([^&]+) | payload | iss | | X_key_core_RP,Token response | head | 400 | body | invalid_request,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the iss claim. This claim must be set to the client ID of the RP creating the request.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Ritorna 403 unauthorized_client -x,OP-Token response-id_token-with-refresh-request,Token Response containing refresh_token,Token Response,Token request with grant_type set to refresh_token and a valid refresh_token ,"Compliant if the Token Response does not contain the ID Token, not compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the OP release ID Tokens with the use of refresh tokens,"In this test the offline_access flow is accomplished and a refresh token is obtained. After this, a new token request is done with 'grant_type=refresh_token' and the refresh token inserted in the 'refresh_token' parameter. The response must not include the ID Token",OP,,,"The Refresh Token MUST NOT allow the requesting RP to obtain an ID Token, neither the one previously issued during authentication nor a new ID Token",SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Mismatch of parameter,,,,,,,,FALSE,x,,no,"[""s1"", ""s1.1""]",E,,F,P,passed,id_token รจ presente -x,OP-Token response-refresh_token_signature,Refresh token,Token response,Authentication request with scope offline_access and prompt contains consent,"Compliant if the signature of the Refresh token is correctly verified using the OP's public key, not compliant otherwise",/ manual: check signature,Correct Input,Token response,Does the OP correctly sign the Refresh Token,"Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test an offline_access flow is performed and the obtained Refresh token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the Refresh token is passed to a signature verifier correctly configured",OP,,Token response | body | refresh_token | XXX,The Refresh Token MUST be a signed JWT,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,3.2.11,,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-url-missing-client_id,Token response,Token response,Token request without the client_id parameter in the URL,"Compliant if the Token Response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Token response,Does the OP check the client_id in the request,In this test the client_id parameter in the URL of the token request is removed and the response analyzed,OP,Token request | body | (?<=client_id=)([^&]+) | ,Token response | head | 400 | body | invalid_request,An RP doing a Token Request must insert the client_id parameter in the request and it has to be an HTTPS URL,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-refresh_token-after-access_token-revocation,Token Response,Token Response to a request with refresh token ,Token request with grant_type set to refresh_token and a refresh_token whose corresponding access_token was revoked,"Compliant if the OP sends a successful token response, not compliant otherwise",/ manual: check flow,Correct Input,Token response,Does the OP revoke the Refresh Token when revoking an Access Token,"In order to test if the OP revokes a refresh token together with the access token revocation, a classic authentication flow is computed and, once obtained the access token and the refresh token, the access token is used to login. Finally, a logout is performed (thus revocating the access token), a token request using the refresh token is accomplished and the OP's response analyzed.",OP,,,The Access Token revocation MUST NOT imply revoking all the Refresh Tokens linked to it.,SPID_CIE_OIDC#revocation-endpoint; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html,OIDC Core,Passive,L,Incorrect handling,Are refresh tokens revoked after access token revocation (AccessRevokesRefresh),,,,,,"The OAuch outcome is in contrast with ours and with the one in the specification: for OAuch if the related refresh token is revoked, than this is compliant, in the CIE scenario it is not",TRUE,x,,yes,"[""s1"", ""s1.1""]",E,,P,P,passed, -x,OP-Token response-refresh_token-already-used,Token Response,Token Response to a request with an already-used refresh token ,Token request with offline_access grant type and an already-used refresh token in it,"Compliant if the Token Response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Token response,Does the OP invalidate already-used refresh tokens,"A Token Request with the grant_type=refresh_token and the refresh token in it is sent. Even if the response will contain a new access token and a new refresh token, the next step is trying to refresh again the access token with the already-used refresh token and analyze the response",OP,,,"For security reasons, an OP MUST return, along with a new Access Token, also a new Refresh Token, invalidating all previously issued tokens (refresh token rotation) to the RP and related to the end-user",SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Is the active refresh token revoked after a multi-exchange (InvalidatedRefreshToken),,test_grant_refresh_token_two_times,,,,,TRUE,x,,yes,"[""s1"", ""s1.1"", ""s1.2""]",E,,P,P,passed, -x,OP-Token response-refresh_token-correct-signature,Successful Token response,Token response,Authentication request with scope offline_access and prompt contains consent,"Compliant if the refresh_token obtained in the token response is a valid JWT, not Compliant otherwise",/ manual: check parameter,Correct Input,Token response,Does the OP issue valid refresh tokens,"In this test an RP makes an authentication request with scope offline_access and the parameter prompt set to consent. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain a valid refresh token. Once obtained, the token must be validated with the proper validation algorithm and public key",OP,Authentication request | url | scope | openid offline_access | prompt | consent,"Token response | body | (?<=\""refresh_token\"": \"")[^\""]+ | XXX","The Token response, if succesful, returns an ID Token, an Access Token and possibly a Refresh Token (if the authentication request has scope=offline_access and prompt=consent)",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,L,Type mismatch,Are refresh tokens supported (HasRefreshTokens),,,,"Accesso L1 con protocollo -OIDC e scope valorizzato -openid profile email -offline_access","3.2.9, 3.2.10",,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Token response-id_token-payload-nonce-value,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the nonce claim and its value is the same as the nonce in the Authentication Request made before, not Compliant otherwise",/ manual: wrong parameter,Correct Input,Token response,Does the issued JWT ID Token contain the 'nonce' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked. In particular, its value must be set to the 'nonce' value set in the Authentication Request",OP,,,The JWT ID Token Payload requires the nonce parameter and it must be set to the nonce value sent in the Authentication Request,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,M,Presence of wrong parameter,Is the nonce present in the ID token (NoncePresentInToken),ID Token has nonce when requested for code flow,,,,"3.3.24, 3.3.25",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-refresh_token-payload-iat-type,Refresh Token,Token response,Authentication request with scope openid offline_access and prompt contains consent,"Compliant if the JWT Refresh Token Payload contains the iat claim and its value is a timestamp, not Compliant otherwise",/ manual: check type,Correct Input,Token response,Does the issued JWT Refresh Token contain 'iat' parameter in the Payload,"The Refresh Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp",OP,,"Token response | head | (?<=\""refresh_token\"": \"")[^\""]+ | payload | iat | timestamp",The Refresh Token MUST contain the iat parameter,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-token-rotation,Token Response,Token Response to a request with refresh token ,Token request with offline_access grant type and a valid refresh token in it,"Compliant if the response has a new refresh token, not compliant otherwise",/ manual: check content,Correct Input,Token response,Does the OP use token rotation,A Token Request with the grant_type=refresh_token and the refresh token in it is sent. The response must contain a new refresh token.,OP,,,"For security reasons, an OP MUST return, along with a new Access Token, also a new Refresh Token, invalidating all previously issued tokens (refresh token rotation) to the RP and related to the end-user",SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Active,M,Mismatch of content,Is refresh token rotation used (UsesTokenRotation),,,,Accesso L1 con protocollo OIDC e scope valorizzato openid e offline_access. Verifica della Refresh Token Rotation,,,TRUE,x,,yes,"[""s1"", ""s1.1""]",E,,P,P,passed, -x,OP-Token response-wrong-assertion-iss,Token response,Token response,Token request with a client assertion with the iss claim not set to the RP's client ID,"Compliant if the Token response is an HTTP 400 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Token response,Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response,In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID,OP,Token request | body | (?<=client_assertion=)([^&]+) | payload | iss | https://www.example.com/ | X_key_core_RP,Token response | head | 400 | body | invalid_request,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the iss claim. This claim must be set to the client ID of the RP creating the request.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Ritorna 403 unauthorized_client -o,OP-Token response-error_description-if_error_grant_type,Successful error Token response,Token response,Trigger error Token response,"Compliant if the error token response has error_description parameter, not Compliant otherwise",/ manual: check type,Correct Input,Token response,Does the error token response have error_description parameter,This test verifies the presence of error_description parameter in the error token response.,OP,,,The error Token response must have error_description parameter,SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-error-value,Token Error response,Token response,Trigger Token response,"Compliant if the Token Response has the error parameter and it is set to a value among 'invalid_request', 'invalid_client', 'unsupported_grant_type', 'invalid_grant', 'server_error', or 'temporarily_unavailable'. Not Compliant otherwise",/ manual: wrong parameter,Correct Input,Token response,Does the Token error response contain a correct error parameter,"The Token error response is analyzed and the the error parameter in it is checked. It must have a value among 'invalid_request', 'invalid_client', 'unsupported_grant_type', 'invalid_grant', 'server_error', or 'temporarily_unavailable'",OP,,"Token response | body | error | [""invalid_request"", ""invalid_client"", ""unsupported_grant_type"", ""invalid_grant"", ""server_error"", ""temporarily_unavailable""]","If the Token Request (both ID Token and Refresh Token) is invalid or unauthorized, the OP constructs the error response. This response needs to have the error parameter with the error code ('invalid_request' or 'unauthorized_client')",SPID_CIE_OIDC#Token-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#response,OIDC Core,Active,M,Presence of wrong parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Token response-wrong-assertion-jti,Token response to a request with a client assertion with a jti already used,Token response to a request with a client assertion with a jti already used,Token request with a client assertion with a jti already used in the life time of the JWT (JWT replay),"Compliant if the Token Response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: check flow,Wrong Input,Token response,Does the token response to a token request made with a client_assertion parameter containing an already used jti in the JWT return a Token Error response,In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the jti has already been used.,OP,,Token response | head | 400 | Token response | body | invalid_request,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the jti claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,x,,no,"[""s1-revoked"", ""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 -x,SA-Trust Mark status response SA RP-exposed-RP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response SA RP,HTTP 200 OK response containing the claim 'active' set to true,/ manual: TM check content,Correct Input,Trust Mark status response SA RP,Does the SA Trust Mark Status endpoint effectively verify valid Trust Marks of RP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the RP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",SA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Trust Mark status response SA OP-exposed-OP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response SA OP,HTTP 200 OK response containing the claim 'active' set to true,/ manual: TM check content,Correct Input,Trust Mark status response SA OP,Does the SA Trust Mark Status endpoint effectively verify valid Trust Marks of OP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the OP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",SA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -o,SA-Trust Mark status response SA-revocated-trust_mark,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status endpoint request with invalidated Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response SA,Does the SA invalidate revocated trust marks,"In order to check if a SA correctly invalidate a Trust Mark, a Trust Mark revocation request on a Trust Mark has to be made and then the trust mark status endpoint must be fetched. If the response says that the trust mark is invalid, than it is correctly invalidated, otherwise the SA is not compliant with the specification",SA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Trust Mark status response SA RP-not_valid-trust_mark-RP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response SA RP,Does the SA's trust mark status endpoint correctly refuses a not-valid id Trust Marks RP,"In order to check if the trust mark status endpoint of a SA correctly refuses invalid trust marks RP, a invalid trust mark can be sent to the endpoint and the response analyzed",SA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Trust Mark status response SA OP-not_valid-trust_mark-OP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response SA OP,Does the SA's trust mark status endpoint correctly refuses a not-valid id Trust Marks OP,"In order to check if the trust mark status endpoint of a SA correctly refuses invalid trust marks OP, a invalid trust mark can be sent to the endpoint and the response analyzed",SA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Trust Mark status response SA-different-entity-trust_mark,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status invalid request,"Compliant if the Trust Mark status response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response SA,Does the SA checks Trust Marks not issued by the Entity,"In this test, a valid Trust Mark issued by another entity is sent to an SA. If it validates the Trust Mark, than is not compliant with the specifications",SA,,,trust mark status endpoint: allows an Entity to test if a TM is still active or not. The request MUST be sent to the subject that has released that TM.,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,TA-Trust Mark status response TA RP-exposed-RP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response TA RP,HTTP 200 OK response containing the claim 'active' set to true,/ manual: check flow,Correct Input,Trust Mark status response TA RP,Does the TA Trust Mark Status endpoint effectively verify valid Trust Marks of RP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the RP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",TA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,,P,P,passed, -x,TA-Trust Mark status response TA OP-exposed-OP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response TA OP,HTTP 200 OK response containing the claim 'active' set to true,/ manual: status code,Correct Input,Trust Mark status response TA OP,Does the TA Trust Mark Status endpoint effectively verify valid Trust Marks of OP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the OP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",TA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,L,Return wrong status code,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Problema implementazione,F,F,failed,[SAME] Manca trust_mark in OP in EC -o,TA-Trust Mark status response TA-revocated-trust_mark,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status endpoint request with invalidated Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response TA,Does the TA invalidate revocated trust marks,"In order to check if a TA correctly invalidate a Trust Mark, a Trust Mark revocation request on a Trust Mark has to be made and then the trust mark status endpoint must be fetched. If the response says that the trust mark is invalid, than it is correctly invalidated, otherwise the TA is not compliant with the specification",TA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,N_A,not_applicable, -x,TA-Trust Mark status response TA RP-not_valid-trust_mark-RP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response TA RP,Does the TA's trust mark status endpoint correctly refuses a not-valid id Trust Marks RP,"In order to check if the trust mark status endpoint of a TA correctly refuses invalid trust marks RP, a invalid trust mark can be sent to the endpoint and the response analyzed",TA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,,P,P,passed, -x,TA-Trust Mark status response TA OP-not_valid-trust_mark-OP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response TA OP,Does the TA's trust mark status endpoint correctly refuses a not-valid id Trust Marks OP,"In order to check if the trust mark status endpoint of a TA correctly refuses invalid trust marks OP, a invalid trust mark can be sent to the endpoint and the response analyzed",TA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,,P,P,passed, -x,TA-Trust Mark status response TA-different-entity-trust_mark,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status invalid request,"Compliant if the Trust Mark status response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response TA,Does the TA checks Trust Marks not issued by the Entity,"In this test, a valid Trust Mark issued by another entity is sent to an TA. If it validates the Trust Mark, than is not compliant with the specifications",TA,,,trust mark status endpoint: allows an Entity to test if a TM is still active or not. The request MUST be sent to the subject that has released that TM.,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 - active: false -x,RP-User logout-token-revocation,User's logout,Revocation request,Trigger User logout,"Compliant if the RP sends a Revocation Request regarding the access token, not compliant otherwise",HTTP parameter presence,Correct Input,User logout,Does the RP revoke the Token when the User logs out,"In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token",RP,,Revocation request | body | token,"When the user logs out, the RP MUST revoke the Access Token in its possession",SPID_CIE_OIDC#logout; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/logout.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,RP-Userinfo request-access-token,RP's UserInfo request,Userinfo request,Trigger Userinfo request,"Compliant if the the authorization field in the header of the UserInfo Request contains an Access Token, not compliant otherwise",HTTP parameter presence,Correct Input,Userinfo request,Does the RP contain the Access Token in the UserInfo request,The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token,RP,,UserInfo request | head | Authorization,"In order to obtain the requested claims, the RP sends a request to the UserInfo Endpoint using the Access Token",SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, -x,RP-Userinfo request-access-token-valid,RP's UserInfo request,Userinfo request,Trigger Userinfo request,"Compliant if the authorization field in the header of the UserInfo Request contains a valid Access Token (JWT), not compliant otherwise",HTTP parameter type,Correct Input,Userinfo request,Does the RP contain a valid Access Token in the UserInfo request,The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token,RP,,UserInfo request | head | Authorization:\s?Bearer\s?([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In order to obtain the requested claims, the RP sends a request to the UserInfo Endpoint using the Access Token",SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Userinfo response-access_token-wrong-payload,UserInfo request with errors,Userinfo response to a request with an Access Token with a wrong payload,Userinfo request with an Access Token with a wrong payload,"Compliant if the Userinfo Response is an HTTP 401 because of invalid_client, not compliant otherwise",/ manual: check flow,Wrong Input,Userinfo response,Does the OP correctly validate the Access Tokens,"In order to test if the OP's UserInfo endpoint correctly validates the Access Tokens, a UserInfo Request with an Access Token with a wrong payload, wrong client_id is sent and the OP's response analyzed",OP,,,"The UserInfo Endpoint MUST support the method HTTP GET and HTTP POST and MUST accept and validate the Access Token sent in the Authorization field of the Header, whose type is Bearer",SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,test_userinfo_endpoint_no_issued_token_session,,,,,TRUE,x,,,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 o,OP-Userinfo response-content_type,UserInfo response,Userinfo response,Trigger Userinfo response,"Compliant if the Content-Type is 'application/jwt', not compliant otherwise",HTTP parameter value_1,Correct Input,Userinfo response,Does the Content-Type of the UserInfo response set to 'application/jwt',The Content-Type of the UserInfo response must be set to 'application/jwt' ,OP,,UserInfo response | head | Content-Type | application/jwt,Tthe Content-Type of the UserInfo response must be set to 'application/jwt',SPID_CIE_OIDC#UserInfo Response#response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,M,Mismatch of content,,,,,,,ONLY FOR SPID,FALSE,x,,no,"[""s1""]",E,,F,P,passed,application/jose https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse +x,OP-Userinfo response-correct-release,UserInfo response to a refreshed access token,Userinfo response to a request with a refreshed Access token,Trigger Userinfo response to a refreshed access token,"Compliant if the claim issued by the two UserInfo response are the same, not compliant otherwise",/ manual: check content,Correct Input,Userinfo response,Does the OP release only previously accepted information when presenting a refresh token,"In this test the offline_access flow is accomplished, obtaining a refresh token and an access token. After this, a UserInfo request is sent with the access token and the released information saved. Once obtained the information, a new token request is done with 'grant_type=refresh_token' and the refresh token inserted in the 'refresh_token' parameter. The access token included in the latter response is then taken, a UserInfo Request is made with it and the results compared. The last UserInfo Response must contain exactly the claims issued with the previous one",OP,,,The Refresh Token MAY be used as a mechanism to obtain from the UserInfo endpoint only the same set of user attributes requested at the initial authentication phase and for which the user has given explicit consent,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1"", ""s1.1""]",E,,F,F,failed,"Mancano iss e aud, perรฒsono uguali" +x,OP-Userinfo response-GET-request,UserInfo request via HTTP GET,Userinfo response,"UserInfo request via HTTP GET with scope ""openid profile""",Compliant if the JWT in the body of the response contains the claim 'given_name'. Not compliant otherwise,/ manual: check content,Correct Input,Userinfo response,Does the OP give the correct claims through HTTP GET at the userinfo endpoint,"After a successful Authentication Request with a scope 'openid profile' and only paramter given_name for userinfo, a valid Access Token obtained from the OP is sent to the OP's userinfo endpoint using an HTTP GET request. If the userinfo endpoint returns a signed and encrypted JWT containing the claims 'given_name', the OP is compliant with the specification.",OP,,,"The UserInfo Endpoint MUST support the method HTTP GET and HTTP POST and MUST accept and validate the Access Token sent in the Authorization field of the Header, whose type is Bearer",SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Active,M,Mismatch of content,Is JWT authentication implemented (SupportsJwtClientAuthentication),"Has userinfo endpoint, Userinfo Endpoint access with header method",,,,,,TRUE,x,,yes,"[""s1""]",E,,F,F,failed,"[SAME] Manca parametro birthdate, iss e aud e ha email" o,OP-Userinfo response-http_status_code,UserInfo response,Userinfo response,Trigger Userinfo response,"Compliant if the HTTP status code is 200, not compliant otherwise",HTTP parameter presence,Correct Input,Userinfo response,Does the HTTP status code of the UserInfo response is 200,A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200,OP,,UserInfo response | head | HTTP/?\d?\.?\d?\s200,The HTTP status code of the UserInfo response is 200,SPID_CIE_OIDC#UserInfo Response#response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,L,Return wrong status code,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Userinfo response-JWE,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if the response contains a signed and encrypted JWT, not compliant otherwise",HTTP parameter type,Correct Input,Userinfo response,Does the UserInfo Endpoint create a signed and encrypted JWT,The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.,OP,,UserInfo response | body | [\w\-]+\.[\w\-]+\.[\w\-]+\.[\w\-]+\.[\w\-]+$,The content of the Response body MUST be a signed and encrypted JWT,SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,"4.2.1, 4.2.2, 4.3.7",Must understand how to check encryption of the JWT,TRUE,x,,no,"[""s1""]",E,,P,P,passed, +x,OP-Userinfo response-JWE-correct-signature,UserInfo response to a correct request,Userinfo response,Trigger Userinfo response,"Compliant if the signature verification of the JWE in the payload of the response is valid using the OP's public key, not compliant otherwise",/ manual: check signature,Correct Input,Userinfo response,Does Userinfo endpoint sign the JWE in the response with the OP's private key,"In order to guarantee integrity, the Userinfo Response's JWE must be signed with the OP's private key, so that everyone in possess of the OP's public key can decrypt it and verify that it was issued by the OP. In this test a correct request is made and the correctness of the signature of the JWE is checked using the OP's public key",OP,,,The content of the Response body MUST be a signed and encrypted JWT,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,4.4.3,,TRUE,x,,,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Decryptare il JWE e controllare la signature del jwt contenuto (OP) o,OP-Userinfo response-JWE-header-alg,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if in the JOSE Header of the JWE in the body of the response there is the alg parameter, not compliant otherwise",JWE parameter presence,Correct Input,Userinfo response,Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header,"The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification",OP,,UserInfo response | body | [^\r\n]* | header | alg,The JOSE header MUST contain the alg parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, o,OP-Userinfo response-JWE-header-alg-value,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if in the JOSE Header of the JWE in the body of the response there is the alg parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'], not compliant otherwise",JWE list values,Correct Input,Userinfo response,Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header,"The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification",OP,,"UserInfo response | body | [^\r\n]* | header | alg | [""RSA-OAEP"", ""RSA-OAEP-256"", ""ECDH-ES"", ""ECDH-ES+A128KW"", ""ECDH-ES+A256KW""]",The JOSE header MUST contain the alg parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,4.3.0,,TRUE,,,no,"[""s1""]",E,,P,P,passed, ,OP-Userinfo response-JWE-header-alg-value-wrong,,Userinfo response,Trigger Userinfo response,"Compliant if the alg parameter in the JOSE Header of the JWE in the body of the response contains a value among RS256 and RS512, not Compliant if it contains values among ['none', 'HS256', 'HS384', 'HS512'] or is empty",JWE parameter not in value,Correct Input,Userinfo response,Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header,"In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.",OP,,"UserInfo response | body | [^\r\n]* | header | alg | [""none"", ""HS256"", ""HS384"", ""HS512""]",The JOSE header MUST contain the alg parameter,SPID_CIE_OIDC#Userinfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, @@ -988,21 +424,585 @@ x,OP-Userinfo response-JWE-header-cty-value,UserInfo Response,Userinfo response, x,OP-Userinfo response-JWE-header-enc,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if in the JOSE Header of the JWE in the body of the response there is the enc parameter, not compliant otherwise",JWE parameter presence,Correct Input,Userinfo response,Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header,"The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification",OP,,UserInfo response | body | [^\r\n]* | header | enc,The JOSE header MUST contain the enc parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Userinfo response-JWE-header-enc-value,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if in the JOSE Header of the JWE in the body of the response there is the enc parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWE list values,Correct Input,Userinfo response,Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header,"The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification",OP,,"UserInfo response | body | [^\r\n]* | header | enc | [""A128CBC-HS256"", ""A256CBC-HS512""]",The JOSE header MUST contain the enc parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, ,OP-Userinfo response-JWE-header-kid,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if in the JOSE Header of the JWE in the body of the response there is the kid parameter, not compliant otherwise",JWE parameter presence,Correct Input,Userinfo response,Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header,"The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification",OP,,UserInfo response | body | [^\r\n]* | header | kid,The JOSE header MUST contain the kid parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,OP-Userinfo response-access_token-wrong-payload,UserInfo request with errors,Userinfo response to a request with an Access Token with a wrong payload,Userinfo request with an Access Token with a wrong payload,"Compliant if the Userinfo Response is an HTTP 401 because of invalid_client, not compliant otherwise",/ manual: check flow,Wrong Input,Userinfo response,Does the OP correctly validate the Access Tokens,"In order to test if the OP's UserInfo endpoint correctly validates the Access Tokens, a UserInfo Request with an Access Token with a wrong payload, wrong client_id is sent and the OP's response analyzed",OP,,,"The UserInfo Endpoint MUST support the method HTTP GET and HTTP POST and MUST accept and validate the Access Token sent in the Authorization field of the Header, whose type is Bearer",SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,test_userinfo_endpoint_no_issued_token_session,,,,,TRUE,x,,,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 -x,OP-Userinfo response-correct-release,UserInfo response to a refreshed access token,Userinfo response to a request with a refreshed Access token,Trigger Userinfo response to a refreshed access token,"Compliant if the claim issued by the two UserInfo response are the same, not compliant otherwise",/ manual: check content,Correct Input,Userinfo response,Does the OP release only previously accepted information when presenting a refresh token,"In this test the offline_access flow is accomplished, obtaining a refresh token and an access token. After this, a UserInfo request is sent with the access token and the released information saved. Once obtained the information, a new token request is done with 'grant_type=refresh_token' and the refresh token inserted in the 'refresh_token' parameter. The access token included in the latter response is then taken, a UserInfo Request is made with it and the results compared. The last UserInfo Response must contain exactly the claims issued with the previous one",OP,,,The Refresh Token MAY be used as a mechanism to obtain from the UserInfo endpoint only the same set of user attributes requested at the initial authentication phase and for which the user has given explicit consent,SPID_CIE_OIDC#Refresh-token https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#refresh-token,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1"", ""s1.1""]",E,,F,F,failed,"Mancano iss e aud, perรฒsono uguali" -x,OP-Userinfo response-JWE-correct-signature,UserInfo response to a correct request,Userinfo response,Trigger Userinfo response,"Compliant if the signature verification of the JWE in the payload of the response is valid using the OP's public key, not compliant otherwise",/ manual: check signature,Correct Input,Userinfo response,Does Userinfo endpoint sign the JWE in the response with the OP's private key,"In order to guarantee integrity, the Userinfo Response's JWE must be signed with the OP's private key, so that everyone in possess of the OP's public key can decrypt it and verify that it was issued by the OP. In this test a correct request is made and the correctness of the signature of the JWE is checked using the OP's public key",OP,,,The content of the Response body MUST be a signed and encrypted JWT,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,4.4.3,,TRUE,x,,,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Decryptare il JWE e controllare la signature del jwt contenuto (OP) -x,OP-Userinfo response-JWT-correct-encryption,UserInfo response to a correct request,Userinfo response,Trigger Userinfo response,Compliant if the JWT in the payload of the response can be decrypted with the RP's private key,/ manual: check signature,Correct Input,Userinfo response,Does Userinfo endpoint encrypt the JWE in the response with the RP's public key,"In order to guarantee confidentiality, the Userinfo Response's JWE must be encrypted with the RP's public key, so that only the intended RP is able to decrypt it. In this test a correct request is made and the correctness of the encryption of the JWT is checked by trying to decrypt the payload with the RP's private key",OP,,,The content of the Response body MUST be a signed and encrypted JWT,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,4.3.6,,TRUE,x,,,"[""s1""]",E,,P,P,passed,Decrypt il JWE con chiave RP -x,OP-Userinfo response-GET-request,UserInfo request via HTTP GET,Userinfo response,"UserInfo request via HTTP GET with scope ""openid profile""",Compliant if the JWT in the body of the response contains the claim 'given_name'. Not compliant otherwise,/ manual: check content,Correct Input,Userinfo response,Does the OP give the correct claims through HTTP GET at the userinfo endpoint,"After a successful Authentication Request with a scope 'openid profile' and only paramter given_name for userinfo, a valid Access Token obtained from the OP is sent to the OP's userinfo endpoint using an HTTP GET request. If the userinfo endpoint returns a signed and encrypted JWT containing the claims 'given_name', the OP is compliant with the specification.",OP,,,"The UserInfo Endpoint MUST support the method HTTP GET and HTTP POST and MUST accept and validate the Access Token sent in the Authorization field of the Header, whose type is Bearer",SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Active,M,Mismatch of content,Is JWT authentication implemented (SupportsJwtClientAuthentication),"Has userinfo endpoint, Userinfo Endpoint access with header method",,,,,,TRUE,x,,yes,"[""s1""]",E,,F,F,failed,"[SAME] Manca parametro birthdate, iss e aud e ha email" -x,OP-Userinfo response-JWS-payload-iss,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if in the payload of the JWS contained in the payload of the JWE in the body of the response there is the iss parameter, not compliant otherwise",/ manual: check content,Correct Input,Userinfo response,Does the UserInfo Response's JWS contain the iss parameter in the payload,"The JWS Token contained in the encrypted payload of the JWE in the UserInfo response body is taken and analyzed. If it contains the 'iss' parameter in the payload, then it is compliant with the specification",OP,,,The JWT payload is a JSON containing the iss parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,M,Mismatch of content,,,,,,"4.4.4, 4.4.5",,TRUE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro iss -x,OP-Userinfo response-JWS-payload-iss-value,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if the value of the iss parameter in the payload of the JWS contained in the payload of the JWE in the body of the response is an URL identifying the OP, not compliant otherwise",/ manual: wrong parameter,Correct Input,Userinfo response,Does the UserInfo Response's JWS contain a correct iss parameter in the payload,"The JWS Token contained in the encrypted payload of the JWE in the UserInfo response body is taken and analyzed. If the 'iss' parameter in the payload is set to the OP's identifier, then it is compliant with the specification",OP,,,The JWT payload is a JSON containing the iss parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro iss -x,OP-Userinfo response-missing-token,UserInfo response to a request without the Token,UserInfo response to a request without the Token,UserInfo request without the Token in Authorization parameter in the head,"Compliant if the Userinfo response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Userinfo response,How does the OP behave when the token in the userinfo request is missing,A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed,OP,UserInfo request | head | Authorization | ,UserInfo response | head | 400 | body | invalid_request,"The UserInfo Endpoint MUST support the method HTTP GET and HTTP POST and MUST accept and validate the Access Token sent in the Authorization field of the Header, whose type is Bearer",SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,test_userinfo_endpoint_no_header,,,,,TRUE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 x,OP-Userinfo response-JWS-payload-aud-value,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if in the payload of the JWS contained in the payload of the JWE in the body of the response there is the aud parameter set to the RP's identifier, not compliant otherwise",/ manual: wrong parameter,Correct Input,Userinfo response,Does the UserInfo Response's JWS contain a correct aud parameter in the payload,"The JWS Token contained in the encrypted payload of the JWE in the UserInfo response body is taken and analyzed. If the 'aud' parameter in the payload is set to the RP's identifier, then it is compliant with the specification",OP,,,"The JWT payload is a JSON containing the aud parameter, which must be the RP's identifier",SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,,,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro aud o,OP-Userinfo response-JWS-payload-exp-presence,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if in the payload of the JWS contained in the payload of the JWE in the body of the response there is the exp parameter, not compliant otherwise",/ manual: check parameter,Correct Input,Userinfo response,Does the UserInfo Response's JWS contain exp parameter in the payload,"The JWS Token contained in the encrypted payload of the JWE in the UserInfo response body is taken and analyzed. If it contains the 'exp' parameter in the payload, then it is compliant with the specification",OP,,,The JWS header is a JSON containing the exp parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro exp o,OP-Userinfo response-JWS-payload-exp-type,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if the exp parameter in the payload of the JWS contained in the payload of the JWE in the body of the response is a valid unix time, not compliant otherwise",/ manual: check type,Correct Input,Userinfo response,Does the UserInfo Response's JWS contain a correct exp parameter in the payload,"The JWS Token contained in the encrypted payload of the JWE in the UserInfo response body is taken and analyzed. If the 'exp' parameter in the payload is a UNIX time, then it is compliant with the specification",OP,,,The JWS header is a JSON containing the exp parameter as a valid unix time,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro exp o,OP-Userinfo response-JWS-payload-iat-presence,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if in the payload of the JWS contained in the payload of the JWE in the body of the response there is the iat parameter, not compliant otherwise",/ manual: check parameter,Correct Input,Userinfo response,Does the UserInfo Response's JWS contain iat parameter in the payload,"The JWS Token contained in the encrypted payload of the JWE in the UserInfo response body is taken and analyzed. If it contains the 'iat' parameter in the payload, then it is compliant with the specification",OP,,,The JWS header is a JSON containing the iat parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro iat o,OP-Userinfo response-JWS-payload-iat-type,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if the iat parameter in the payload of the JWS contained in the payload of the JWE in the body of the response is a valid unix time, not compliant otherwise",/ manual: check type,Correct Input,Userinfo response,Does the UserInfo Response's JWS contain a correct iat parameter in the payload,"The JWS Token contained in the encrypted payload of the JWE in the UserInfo response body is taken and analyzed. If the 'iat' parameter in the payload is a UNIX time, then it is compliant with the specification",OP,,,The JWS header is a JSON containing the iat parameter as a valid unix time,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro iat +x,OP-Userinfo response-JWS-payload-iss,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if in the payload of the JWS contained in the payload of the JWE in the body of the response there is the iss parameter, not compliant otherwise",/ manual: check content,Correct Input,Userinfo response,Does the UserInfo Response's JWS contain the iss parameter in the payload,"The JWS Token contained in the encrypted payload of the JWE in the UserInfo response body is taken and analyzed. If it contains the 'iss' parameter in the payload, then it is compliant with the specification",OP,,,The JWT payload is a JSON containing the iss parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,M,Mismatch of content,,,,,,"4.4.4, 4.4.5",,TRUE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro iss +x,OP-Userinfo response-JWS-payload-iss-value,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if the value of the iss parameter in the payload of the JWS contained in the payload of the JWE in the body of the response is an URL identifying the OP, not compliant otherwise",/ manual: wrong parameter,Correct Input,Userinfo response,Does the UserInfo Response's JWS contain a correct iss parameter in the payload,"The JWS Token contained in the encrypted payload of the JWE in the UserInfo response body is taken and analyzed. If the 'iss' parameter in the payload is set to the OP's identifier, then it is compliant with the specification",OP,,,The JWT payload is a JSON containing the iss parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro iss x,OP-Userinfo response-JWS-payload-sub,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if in the payload of the JWS contained in the payload of the JWE in the body of the response there is the sub parameter, not compliant otherwise",/ manual: check parameter,Correct Input,Userinfo response,Does the UserInfo Response's JWS contain the sub parameter in the payload,"The JWS Token contained in the encrypted payload of the JWE in the UserInfo response body is taken and analyzed. If it contains the 'sub' parameter in the payload, then it is compliant with the specification",OP,,,The JWT payload is a JSON containing the sub parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Passive,M,Missing parameter,,Userinfo has sub claim,,,,"4.4.15, 4.4.16",,TRUE,x,,no,"[""s1""]",E,,P,P,passed, x,OP-Userinfo response-JWS-payload-sub-value,UserInfo Response,Userinfo response,Trigger Userinfo response,"Compliant if the value of the sub parameter in the payload of the JWS contained in the payload of the JWE in the body of the response is the same as the one sent in the ID Token, not compliant otherwise",/ manual: wrong parameter,Correct Input,Userinfo response,Does the UserInfo Response's JWS contain a correct sub parameter in the payload,"The JWS Token contained in the encrypted payload of the JWE in the UserInfo response body is taken and analyzed. If the 'sub' parameter in the payload is set to the same value set in the ID Token, then it is compliant with the specification",OP,,,The JWT payload is a JSON containing the sub parameter,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Active,M,Presence of wrong parameter,,Userinfo has sub claim,,,,"4.4.15, 4.4.16",,TRUE,x,,no,"[""s1""]",E,,F,P,passed,"[PRIMA] Non vedo il jwe, quindi non รจ possibile analizzare l'errore. Ufficialmente il parametro sub non รจ corretto." +x,OP-Userinfo response-JWT-correct-encryption,UserInfo response to a correct request,Userinfo response,Trigger Userinfo response,Compliant if the JWT in the payload of the response can be decrypted with the RP's private key,/ manual: check signature,Correct Input,Userinfo response,Does Userinfo endpoint encrypt the JWE in the response with the RP's public key,"In order to guarantee confidentiality, the Userinfo Response's JWE must be encrypted with the RP's public key, so that only the intended RP is able to decrypt it. In this test a correct request is made and the correctness of the encryption of the JWT is checked by trying to decrypt the payload with the RP's private key",OP,,,The content of the Response body MUST be a signed and encrypted JWT,SPID_CIE_OIDC#UserInfo-Endpoint-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response,OIDC Core,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,4.3.6,,TRUE,x,,,"[""s1""]",E,,P,P,passed,Decrypt il JWE con chiave RP +x,OP-Userinfo response-missing-token,UserInfo response to a request without the Token,UserInfo response to a request without the Token,UserInfo request without the Token in Authorization parameter in the head,"Compliant if the Userinfo response is an HTTP 400 because of invalid_request, not compliant otherwise",Param Response,Wrong Input,Userinfo response,How does the OP behave when the token in the userinfo request is missing,A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed,OP,UserInfo request | head | Authorization | ,UserInfo response | head | 400 | body | invalid_request,"The UserInfo Endpoint MUST support the method HTTP GET and HTTP POST and MUST accept and validate the Access Token sent in the Authorization field of the Header, whose type is Bearer",SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,test_userinfo_endpoint_no_header,,,,,TRUE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 x,OP-Userinfo response-POST-request,UserInfo request via HTTP POST,Userinfo response,"UserInfo request via HTTP POST with scope ""openid profile""","Compliant if the JWT in the body of the response contains the claims 'family_name', 'given_name', 'birthdate', https://attributes.eid.gov.it/fiscal_number (National Unique Identifier). Not compliant otherwise",/ manual: check content,Correct Input,Userinfo response,Does the OP gives the correct claims through HTTP POST at the userinfo endpoint,"After a successful Authentication Request with a scope 'openid profile' , a valid Access Token obtained from the OP is sent to the OP's userinfo endpoint using an HTTP POST request. If the userinfo endpoint returns a signed and encrypted JWT containing the claims 'family_name', 'given_name', 'birthdate', https://attributes.eid.gov.it/fiscal_number (National Unique Identifier), the OP is compliant with the specification.",OP,,,"The UserInfo Endpoint MUST support the method HTTP GET and HTTP POST and MUST accept and validate the Access Token sent in the Authorization field of the Header, whose type is Bearer",SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Active,M,Mismatch of content,,,,,,,,,,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Authentication request failed con openid profile - UserInfo request funziona solo in GET x,OP-Userinfo response-scope-openid,UserInfo response,Userinfo response,Authentication request with scope openid and claims parameter empty in the request,"Compliant if the payload of the issued JWT contains the sub claim and no user attributes, not compliant otherwise",/ manual: check content,Correct Input,Userinfo response,Does the OP leak information when the scope is only openid,"In this test an authorization request is made without the claims parameter and inserting in the scope parameter only the 'openid' value. The OP must return a code that will be exchanged for an access token. Once obtained the access token, the UserInfo endpoint is queried and the response must contain a signed JWT which contains (in the payload) the sub claim and no user attributes.",OP,,,"If in the scope parameter there was only the openid value and the claims parameter was not present or valued, the response of the userinfo endpoint would not have any user attributes but only the claim sub.",SPID_CIE_OIDC#scope-and-claims-parameters; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#parametri-scope-claims,OIDC Core,Active,M,Mismatch of content,,Support openid scope,,,,,,TRUE,x,,no,"[""s1""]",E,,P,P,passed, -x,OP-Userinfo response-tokens-really-revoked,Userinfo response to a request with revoked token,Userinfo response to a request with revoked token,Userinfo request with a revoked token,"Compliant if the Userinfo response is an HTTP 400 because of invalid_grant, not compliant otherwise",/ manual: check flow,Wrong Input,Userinfo response,Does the OP really revoke the Token after a request,"Once obtained a token, it is directly sent to the revocation endpoint. In order to verify that the token is really revoked, a new request to the UserInfo endpoint can be made. If the response contains the claims requested, than the token is still valid.",OP,UserInfo request | head | Authorization | Bearer XXX,UserInfo response | head | 400 | body | invalid_grant,"The OP will have to revoke the token specified in the request and will have to end the Single Sign-On session, if it is still active",SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.","Can access tokens be revoked (CanAccessTokensBeRevoked), Can refresh tokens be revoked (CanRefreshTokensBeRevoked), Does the server support RFC7009 (token revocation)",,,,,,,TRUE,,,no,"[""s1"", ""s1-revoked""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 \ No newline at end of file +x,OP-Userinfo response-tokens-really-revoked,Userinfo response to a request with revoked token,Userinfo response to a request with revoked token,Userinfo request with a revoked token,"Compliant if the Userinfo response is an HTTP 400 because of invalid_grant, not compliant otherwise",/ manual: check flow,Wrong Input,Userinfo response,Does the OP really revoke the Token after a request,"Once obtained a token, it is directly sent to the revocation endpoint. In order to verify that the token is really revoked, a new request to the UserInfo endpoint can be made. If the response contains the claims requested, than the token is still valid.",OP,UserInfo request | head | Authorization | Bearer XXX,UserInfo response | head | 400 | body | invalid_grant,"The OP will have to revoke the token specified in the request and will have to end the Single Sign-On session, if it is still active",SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.","Can access tokens be revoked (CanAccessTokensBeRevoked), Can refresh tokens be revoked (CanRefreshTokensBeRevoked), Does the server support RFC7009 (token revocation)",,,,,,,TRUE,,,no,"[""s1"", ""s1-revoked""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 403 +x,RP-Authentication request-code_challenge,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if code_challenge is present, not Compliant if it is not",HTTP parameter presence,Correct Input,Authentication request,Does the RP's Authentication Request contain the 'code_challenge' parameter,"The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.",RP,,Authentication request | url | code_challenge,The HTTP Authentication Request must contain the 'code_challenge' parameter.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,Correctness in the OP is checked with the code_verifier,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-code_challenge_method,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the code_challenge_method parameter is present, not Compliant otherwise",HTTP parameter presence,Correct Input,Authentication request,Does the RP's Authentication Request contain the 'code_challenge_method' parameter,"The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications",RP,,Authentication request | url | code_challenge_method,The HTTP Authentication Request must contain the 'code_challenge_method' parameter and it must be set to on of the value of the code_challenge_methods_supported parameter in the OP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,Create OP test on code_challenge,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-code_challenge_method-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the code_challenge_method parameter is present and set to a correct value, not Compliant otherwise",/ manual: wrong parameter,Correct Input,Authentication request,Does the RP's Authentication Request contain a correct 'code_challenge_method' parameter,"The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is present, than it has to be set to one of the value of the code_challenge_methods_supported parameter in the OP's metadata. If it is not present or contains any other value, then the RP is not compliant with the specifications",RP,,,The HTTP Authentication Request must contain the 'code_challenge_method' parameter and it must be set to on of the value of the code_challenge_methods_supported parameter in the OP's metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Presence of wrong parameter,,,,,,,Create OP test on code_challenge,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-acr_values,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the acr_values parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'acr_values' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | acr_values,"The JWT payload of the request parameter in the Authentication Request must contain the 'acr_values' parameter and It MUST be a string with the requested 'acr' values, each of them separated by a single space, appearing in order of preference. The supported values 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +o,RP-Authentication request-JWT-acr_values-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the acr_values parameter is present, it is a string with the requested 'acr' values separated by a single space and the values are among 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. Not compliant otherwise",JWT list values,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications",RP,,"Authentication request | url | request | payload | acr_values | [""https://www.spid.gov.it/SpidL1"", ""https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL3"", ""https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3"", ""https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3"", ""https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3""]","The JWT payload of the request parameter in the Authentication Request must contain the 'acr_values' parameter and It MUST be a string with the requested 'acr' values, each of them separated by a single space, appearing in order of preference. The supported values 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-aud,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the aud parameter is present, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'aud' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | aud,The JWT content of the request parameter in the Authentication Request must contain the 'aud' parameter and it must be the OP identifier,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-exp,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if present and before the current time, not compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'exp' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | exp,The JWT content of the request parameter in the Authentication Request must contain the 'exp' parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-header-alg-not_in_value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT Header of the request parameter contains the alg parameter and its value does not corresponds to one among ['none', 'HS256', 'HS384', 'HS512'], not Compliant otherwise",JWT parameter not in value,Correct Input,Authentication request,Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request,"In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.",RP,,"Authentication request | url | request | header | alg | [""none"", ""HS256"", ""HS384"", ""HS512""]","The JWT Header of the request parameter in the Authentication Request must contain the 'alg' parameter, it must be set to one of the supported values for the OP metadata and must not be 'none' or a symmetric algorithm (MAC).",SPID_CIE_OIDC; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,"If it is not an alg supported by the OP, than it cannot verify the signature and there are 3 cases: 1. It is a algorithm not supported and the OP even trying to use the correct RP's public key cannot decrypt it, or +2. It is a symmetric algorithm and the public key of the RP won't decrypt the signature +3. It is a symmetric algorithm and the public key of the RP is the correct key used to encrypt it +In the first 2 cases the parameter is meaningless because the OP won't be able to decrypt the signature, in the latter we cannot rely on the secrecy of the process. The only interesting case is the third one",FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-header-client_id,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'client_id' parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'client_id' parameter,"In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.",RP,,Authentication request | url | request | payload | client_id,The JWT content of the request parameter in the Authentication Request must contain the 'client_id' parameter. It MUST contain an HTTPS URL that uniquely identifies the RP.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,"The parameters client_id and response_type SHOULD be sent both as parameters in the HTTP request, and inside the request object.",FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-header-client_id-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT in the request parameter contains the 'client_id' parameter identifying the RP, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP,"In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP",RP,Entity Configuration response RP | body | [^\r\n]* | payload | metadata.openid_relying_party.client_id,Authentication request | url | request | payload | client_id | client_id,The JWT content of the request parameter in the Authentication Request must contain the 'client_id' parameter. It MUST contain an HTTPS URL that uniquely identifies the RP.,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,"The parameters client_id and response_type SHOULD be sent both as parameters in the HTTP request, and inside the request object.",FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-header-kid,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'kid' parameter in the header, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the JWT header of the Authentication Request contain the kid parameter,"In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.",RP,,Authentication request | url | request | header | kid,The JWT Header of the request parameter in the Authentication Request must contain the 'kid' parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-header-kid-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'kid' parameter in the header and its value corresponds to the one that can be found in the jwks parameter of the RP metadata where use is sig, not Compliant otherwise",/ manual: check parameter,Correct Input,Authentication request,Does the JWT header of the Authentication Request contain the kid parameter correspond to the jwks parameter in RP metadata,"In this test the request parameter of the Authentication Request is taken, and the value of the 'kid' parameter must correspond with jwks parameter of the RP metadata where ""use"" is ""sig"", not Compliant otherwise",RP,,,The JWT Header of the request parameter in the Authentication Request must contain the 'kid' parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Presence of wrong parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] I parametri kid sono diversi +x,RP-Authentication request-JWT-iat,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'iat' parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'iat' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | iat,The JWT content of the request parameter in the Authentication Request must contain the 'iat' parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-iss,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'iss' parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'iss' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.",RP,,Authentication request | url | request | payload | iss,The JWT content of the request parameter in the Authentication Request must contain the 'iss' parameter and it must be the client_id of the RP creating the request,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-iss-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the iss parameter corresponds to the RP's client_id, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications",RP,Entity Configuration response RP | body | [^\r\n]* | payload | metadata.openid_relying_party.client_id,Authentication request | url | request | payload | iss | iss,The JWT content of the request parameter in the Authentication Request must contain the 'iss' parameter and it must be the client_id of the RP creating the request,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-jwt-nonce,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'nonce' parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'nonce' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.",RP,,Authentication request | url | request | payload | nonce,The JWT payload of the request parameter in the Authentication Request must contain the 'nonce' parameter and it must be of at least 32 alphanumeric characters length,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-jwt-prompt,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'prompt' parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'prompt' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | prompt,The JWT payload of the request parameter in the Authentication Request must contain the 'prompt' parameter. It can contain the 'consent' or the 'consent login' value,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-jwt-redirect_uri,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the redirect_uri parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter",RP,,Authentication request | url | request | payload | redirect_uri,The JWT payload of the request parameter in the Authentication Request must contain the 'redirect_uri' parameter. It must match one of the URLs given in the RP metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-jwt-response_type,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the response_type parameter is present, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'response_type' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked",RP,,Authentication request | url | request | payload | response_type,The JWT payload of the request parameter in the Authentication Request must contain the 'response_type' parameter and it must contain the value in 'response_types_supported' parameter of the OP metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-jwt-scope,Authentication Request,Authentication request,Trigger Authentication request,Compliant if the scope parameter is present in the JWT payload. Not compliant otherwise,JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request contain the 'scope' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.",RP,,Authentication request | url | request | payload | scope,"The JWT payload of the request parameter in the Authentication Request must contain the 'scope' parameter and the supported values are 'profile' and 'email'. The parameter scope MUST be sent both as a parameter in the HTTP call, and inside the request object. The two values MUST be the same",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,"Not clear in the new specification, check if the offline access can be used this way",FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-state,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'state parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'state' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.",RP,,Authentication request | url | request | payload | state,The JWT payload of the request parameter in the Authentication Request must contain the 'state' parameter and it must be of at least 32 alphanumeric characters length,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-JWT-state-type,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the state parameter is present and longer than 32 characters, not Compliant otherwise",JWT parameter type,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications",RP,,"Authentication request | url | request | payload | | {""type"": ""object"", ""properties"": {""state"": {""type"": ""string"", ""pattern"": ""^[\u0020-\u007E]{32,}$""}}, ""required"": [""state""]}",The JWT payload of the request parameter in the Authentication Request must contain the 'state' parameter and it must be of at least 32 alphanumeric characters length,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-jwt-ui_locales,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the JWT of the request parameter contains the 'ui_locales' parameter, not Compliant otherwise",JWT parameter presence,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'ui_locales' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications",RP,,Authentication request | url | request | payload | ui_locales,The JWT content of the request parameter in the Authentication Request must contain the 'ui_locales' parameter,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro ui_locales +x,RP-Authentication request-nonce-type,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the nonce parameter is longer than 32 characters, not Compliant otherwise",JWT parameter type,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.",RP,,"Authentication request | url | request | payload | | {""type"": ""object"", ""properties"": {""nonce"": {""type"": ""string"", ""pattern"": ""^[\u0020-\u007E]{32,}$""}}, ""required"": [""nonce""]}",The JWT payload of the request parameter in the Authentication Request must contain the 'nonce' parameter and it must be of at least 32 alphanumeric characters length,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +o,RP-Authentication request-prompt-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the prompt parameter is present and is set to 'consent' or to 'consent login', not Compliant otherwise",JWT list values,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'prompt' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications",RP,,"Authentication request | url | request | payload | prompt | [""consent"", ""consent login""]",The JWT payload of the request parameter in the Authentication Request must contain the 'prompt' parameter. It can contain the 'consent' or the 'consent login' value,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-redirect_uri-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the redirect_uri parameter value matches one of the URLs given in the RP metadata, not compliant otherwise",JWT Check-Save to JWT,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.",RP,Entity Configuration response RP | body | [^\r\n]* | payload | metadata.openid_relying_party.redirect_uris,Authentication request | url | request | payload | redirect_uri | redirect_uris,The JWT payload of the request parameter in the Authentication Request must contain the 'redirect_uri' parameter. It must match one of the URLs given in the RP metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-response_type-value,Authentication Request's request parameter,Authentication request,Trigger Authentication request,"Compliant if the response_type parameter is present and equal to the 'response_types_supported' parameter in the OP metadata, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Authentication request,Does the RP Authentication Request's JWT contain a correct 'response_type' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata",RP,Entity Configuration response RP | body | [^\r\n]* | payload | metadata.openid_relying_party.response_types[0],Authentication request | url | request | payload | response_type | response_types_supported,The JWT payload of the request parameter in the Authentication Request must contain the 'response_type' parameter and it must contain the value in 'response_types_supported' parameter of the OP metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-scope-value,Authentication Request,Authentication request,Trigger Authentication request,"Compliant if the value of the scope parameter in the JWT payload is set to 'openid'. Optionally to 'openid profile', 'openid email', 'openid offline_access', 'openid offline_access profile' and 'openid offline_access email'. Not compliant otherwise",JWT list values,Correct Input,Authentication request,Does the RP Authentication Request contain a correct value in 'scope' parameter,"The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.",RP,,"Authentication request | url | request | payload | scope | [""openid"", ""openid profile"", ""openid email"", ""openid offline_access"", ""openid offline_access profile"", ""openid offline_access email""]","The JWT payload of the request parameter in the Authentication Request must contain the 'scope' parameter and the supported values are 'profile' and 'email'. The parameter scope MUST be sent both as a parameter in the HTTP call, and inside the request object. The two values MUST be the same",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,"Not clear in the new specification, check if the offline access can be used this way",FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-url-client_id,Authentication Request,Authentication request,Trigger Authentication request,Compliant if the url contains the client_id parameter,HTTP parameter presence,Correct Input,Authentication request,Does the RP insert the client ID in the url of the request,In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked,RP,,Authentication request | url | client_id,"The parameters client_id and response_type SHOULD be sent both as parameters in the HTTP request, and inside the request object.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication request-url-response_type,Authentication Request,Authentication request,Trigger Authentication request,Compliant if the url contains the response_type parameter,HTTP parameter presence,Correct Input,Authentication request,Does the RP insert the response type in the url of the request,In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked,RP,,Authentication request | url | response_type,"The parameters client_id and response_type SHOULD be sent both as parameters in the HTTP request, and inside the request object.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, +x,RP-Authentication response-Entity_Statement-wrong-jwks,OP's Entity Configuration and TA's Entity Statement for the OP with a public key that differs from the one in the EC of the OP,Authentication response,Entity Statement response regarding the OP and with a wrong jwks parameter and Authentication request,"Compliant if the authentication response does not contain the code parameter, not compliant otherwise",/ manual: check signature,Wrong Input,Authentication response,Does the RP request the OP's Entity Statement to validate the OP's Entity Configuration,"In order to check if the RP verifies the OP's Entity Configuration with the keys sent in the ES, once the RP asks for the Entity Statement, the TA's Entity Statement in response could have a (wrong) public key that is different from the one that can be found in the OP's EC (ES keys should be wrong). After this, an authentication request with that OP is made and, if the response contains the code parameter, the RP is either using the public keys present in the Entity Configuration (not reliable) or not checking the signature at all.",RP,,,"For each EC of the OPs, the RP validates the signature by using the public key obtained in the Entity Statement released by the Trust Anchor.",SPID_CIE_OIDC#Metadata-Retrieval-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#relying-party,OIDC Federation,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"The test fails if a correct flow is accomplished by the RP. It is similar to JWT response (correct check-no) but since we are checking the RP's flow, we do not except an HTTP Error code",FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-signature,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",RP,,Entity Configuration response | body | [^\r\n]* | X_key_RP,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-sub-value,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does entity configuration RP contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",RP,,Entity Configuration response | body | [^\r\n]* | payload | sub | X_url_RP,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-Entity_Configuration-wrong-signature,Wrongly signed OP's Entity Configuration,Entity Configuration response,Entity Configuration response containing a wrongly-signed Entity Configuration,"Compliant if the Authentication response does not contain the code parameter, not compliant otherwise",/ manual: check signature,Wrong Input,Entity Configuration response,Does the RP check the signature in the OP Entity Configuration,"In order to check if the RP correctly verifies the signature of an OP's Entity Configuration and does not trust arbitrary OP, the latter sends as the Entity Configuration response a wrongly signed Entity Configuration and waits for the RP. After this an authentication request is sent and, if the response contains the code, the RP is not checking the authenticity of the EC",RP,,,"For each EC of the OPs, the RP validates the signature by using the public key obtained in the Entity Statement released by the Trust Anchor.",SPID_CIE_OIDC#Metadata-Retrieval-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#relying-party,OIDC Federation,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] code รจ presente +x,RP-Entity Configuration response-metadata-client_id,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'client_id' parameter in the RP metadata ('openid_relying_party' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'client_id' parameter,In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.client_id,The RP metadata of type 'openid_relying_party' must contain the parameter client_id and it must contain an HTTPS URL that uniquely identifies the RP,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-client_id-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'client_id' parameter in the RP metadata is an HTTPS URL, not Compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain correct type of 'client_id' parameter,In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_relying_party | {""type"":""object"", ""properties"":{""client_id"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""client_id""]}",The RP metadata of type 'openid_relying_party' must contain the parameter client_id and it must contain an HTTPS URL that uniquely identifies the RP,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] HTTP non HTTPS +x,RP-Entity Configuration response-metadata-client_id-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'client_id' parameter in the RP metadata uniquely identifies the RP, not Compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does the RP metadata contain correct value of 'client_id' parameter,In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP,RP,,Entity Configuration response | body | [^\n\r]* | payload | metadata.openid_relying_party.client_id | x_https_RP,The RP metadata of type 'openid_relying_party' must contain the parameter client_id and it must contain an HTTPS URL that uniquely identifies the RP,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] HTTP non HTTPS +x,RP-Entity Configuration response-metadata-client_registration_types,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'client_registration_types' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'client_registration_types' parameter,In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.client_registration_types,The RP metadata of type 'openid_relying_party' must contain the parameter client_registration_types and it has to be set to 'automatic'.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-client_registration_types-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'client_registration_types' parameter in the RP metadata is 'automatic'. Not Compliant otherwise,JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'client_registration_types' parameter,In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic',RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.client_registration_types[0] | [""automatic""]",The RP metadata of type 'openid_relying_party' must contain the parameter client_registration_types and it has to be set to 'automatic'.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-contacts,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the contacts claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the contacts claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The RP Metadata of type 'federation_entity' MUST contain contacts,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,"[PRIMA] Manca parametro federation_entity, ma รจ presente in openid_relying_party.contacts" +x,RP-Entity Configuration response-metadata-federation_resolve_endpoint,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the federation_resolve_endpoint claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the federation_resolve_endpoint claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_resolve_endpoint,The RP Metadata of type 'federation_entity' MUST contain federation_resolve_endpoint,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e federation_resolve_endpoint +x,RP-Entity Configuration response-metadata-grant_types,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'grant_types' parameter in the RP metadata ('openid_relying_party' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the grant_types claim,In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.grant_types,The RP metadata of type 'openid_relying_party' must contain the parameter grant_types and it must be a JSON array containing 'authorization_code' and 'refresh_token',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-grant_types,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'grant_types' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'grant_types' parameter,In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.grant_types,The RP metadata of type 'openid_relying_party' must contain the parameter grant_types,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, +x,RP-Entity Configuration response-metadata-grant_types-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'grant_types' parameter in the RP metadata is ['authorization_code', 'refresh_token'], not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct grant_types claim,In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token',RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.grant_types[0] | [""authorization_code"", ""refresh_token""]",The RP metadata of type 'openid_relying_party' must contain the parameter grant_types and it must be a JSON array containing 'authorization_code' and 'refresh_token',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-grant_types-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'grant_types' parameter in the RP metadata is a JSON, not Compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain correct type grant_types claim,In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_relying_party | {""type"":""object"", ""properties"":{""grant_types"":{""type"":""array""}}, ""requirement"":[""grant_type""]}",The RP metadata of type 'openid_relying_party' must contain the parameter grant_types and it must be a JSON array containing 'authorization_code' and 'refresh_token',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-grant_types-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'grant_types' parameter in the RP metadata ('openid_relying_party' type) contains authorization_code or refresh_token. Not Compliant otherwise,JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token,In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.,RP,,"Entity Configuration response | body | [^\r\n]* | payload | .metadata.openid_relying_party | {""type"": ""object"",""properties"": {""grant_types"": {""type"": ""array"",""items"": {""type"": ""string"",""enum"": [""authorization_code"", ""refresh_token""]}}},""required"": [""grant_types""]}",The RP metadata of type 'openid_relying_party' must contain the correct parameter grant_types,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, +x,RP-Entity Configuration response-metadata-homepage_uri,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the homepage_uri claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the homepage_uri claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.homepage_uri,The RP Metadata of type 'federation_entity' MUST contain homepage_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.28,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e homepage_uri +x,RP-Entity Configuration response-metadata-id_token_encrypted_response_alg,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'id_token_encrypted_response_alg' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter,In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_alg,The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro id_token_encrypted_response_alg +x,RP-Entity Configuration response-metadata-id_token_encrypted_response_alg-not_supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'id_token_encrypted_response_alg' parameter in the RP metadata does not contain the value ['RSA_1_5']. Not Compliant otherwise,JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter,In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].,RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_alg | [""RSA_1_5""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro id_token_encrypted_response_alg +x,RP-Entity Configuration response-metadata-id_token_encrypted_response_alg-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_encrypted_response_alg' parameter in the RP metadata is ['RSA-OAEP', 'RSA-OAEP-256']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_alg | [""RSA-OAEP"", ""RSA-OAEP-256""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro id_token_encrypted_response_alg +x,RP-Entity Configuration response-metadata-id_token_encrypted_response_enc,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'id_token_encrypted_response_enc' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter,In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_enc,The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_enc and it has to contain the content encryption algorithms. This parameter is required only if the id_token_encrypted_response_alg is given,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,This parameter is required only if the id_token_encrypted_response_alg is given,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro id_token_encrypted_response_enc +x,RP-Entity Configuration response-metadata-id_token_encrypted_response_enc-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_encrypted_response_enc' parameter in the RP metadata is ['A128CBC-HS256', 'A256CBC-HS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter,"In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_encrypted_response_enc | [""A128CBC-HS256"", ""A256CBC-HS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_encrypted_response_enc and it has to contain the content encryption algorithms. This parameter is required only if the id_token_encrypted_response_alg is given,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,This parameter is required only if the id_token_encrypted_response_alg is given,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro id_token_encrypted_response_enc +x,RP-Entity Configuration response-metadata-id_token_signed_response_alg,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'id_token_signed_response_alg' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'id_token_signed_response_alg' parameter,In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_signed_response_alg,The RP metadata of type 'openid_relying_party' must contain the parameter id_token_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-id_token_signed_response_alg-not_supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_signed_response_alg' parameter in the RP metadata does not contain ['none', 'HS256', 'HS384', 'HS512']. Not Compliant otherwise",JWT parameter not in JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_signed_response_alg | [""none"", ""HS256"", ""HS384"", ""HS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-id_token_signed_response_alg-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'id_token_signed_response_alg' parameter in the RP metadata is ['RS256', 'RS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'id_token_signed_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.id_token_signed_response_alg | [""RS256"", ""RS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter id_token_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-jwks,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'jwks' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'jwks' parameter,In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.jwks,The RP metadata of type 'openid_relying_party' must contain the parameter jwks,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, +x,RP-Entity Configuration response-metadata-jwks,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'jwks' parameter in the RP metadata ('openid_relying_party' type) is present, not Compliant if is absent",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'jwks' parameter,"In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification",RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.jwks,The RP metadata of type 'openid_relying_party' must contain the parameter jwks,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-logo_uri,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the logo_uri claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The RP Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e logo_uri +x,RP-Entity Configuration response-metadata-logo_uri-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain correct type logo_uri claim,In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^(https?://).*\\.svg$""}},""required"":[""logo_uri""]}",The RP Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,P,passed,[MODIFICATO] Prima: Manca parametro federation_entity e logo_uri - [PRIMA] HTTP non HTTPS +x,RP-Entity Configuration response-metadata-organization_name,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the organization_name claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the organization_name claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The RP Metadata of type 'federation_entity' MUST contain organization_name,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e organization_name +x,RP-Entity Configuration response-metadata-policy_uri,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the policy_uri claim in the RP metadata ('federation_entity' type) is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the policy_uri claim,In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The RP Metadata of type 'federation_entity' MUST contain policy_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro federation_entity e policy_uri +x,RP-Entity Configuration response-metadata-redirect_uris,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'redirect_uris' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'redirect_uris' parameter,In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.redirect_uris,The RP metadata of type 'openid_relying_party' must contain the parameter redirect_uris,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, +x,RP-Entity Configuration response-metadata-redirect_uris-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'redirect_uris' parameter in the RP metadata ('openid_relying_party' type) contains an HTTPS. Not Compliant otherwise,JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain an HTTPS 'redirect_uris' parameter,In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.,RP,,"Entity Configuration response | body | [^\r\n]* | payload | .metadata.openid_relying_party | {""type"": ""object"",""properties"": {""redirect_uris"": {""type"": ""array"",""items"": {""type"": ""string"",""format"": ""uri"",""pattern"": ""^https://.*$""}}},""required"": [""redirect_uris""]}",The RP metadata of type 'openid_relying_party' must contain the parameter redirect_uris of type HTTPS,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,F,failed,HTTP non HTTPS +x,RP-Entity Configuration response-metadata-signed_jwks_uri,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'signed_jwks_uri' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'signed_jwks_uri' parameter,In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.signed_jwks_uri,The RP metadata of type 'openid_relying_party' must contain the parameter signed_jwks_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,,P,passed, +x,RP-Entity Configuration response-metadata-token_endpoint_auth_method,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'token_endpoint_auth_method' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'token_endpoint_auth_method' parameter,In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.token_endpoint_auth_method,The RP metadata of type 'openid_relying_party' must contain the parameter token_endpoint_auth_method and it has to be set to 'private_key_jwt'.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-token_endpoint_auth_method-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'token_endpoint_auth_method' parameter in the RP metadata is 'one_of': 'private_key_jwt'. Not Compliant otherwise,JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'token_endpoint_auth_method' parameter,In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt',RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.token_endpoint_auth_method | [""private_key_jwt""]",The RP metadata of type 'openid_relying_party' must contain the parameter token_endpoint_auth_method and it has to be set to 'private_key_jwt'.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-userinfo_encrypted_response_alg,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_encrypted_response_alg' parameter in the RP metadata ('openid_relying_party' type) is present, Not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter,In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_encrypted_response_alg,The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-userinfo_encrypted_response_alg-not_supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'userinfo_encrypted_response_alg' parameter in the RP metadata does not contain the value ['RSA_1_5']. Not Compliant otherwise,JWT parameter not in JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter,In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].,RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_encrypted_response_alg | [""RSA_1_5""]",The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-userinfo_encrypted_response_alg-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_encrypted_response_alg' parameter in the RP metadata is ['RSA-OAEP', 'RSA-OAEP-256']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_encrypted_response_alg | [""RSA-OAEP"", ""RSA-OAEP-256""]",The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_encrypted_response_alg and it has to contain the key encryption algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-userinfo_encrypted_response_enc,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'userinfo_encrypted_response_enc' parameter in the RP metadata ('openid_relying_party' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter,In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_encrypted_response_enc,The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_encrypted_response_enc and it has to contain the content encryption algorithms.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-userinfo_encrypted_response_enc-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_encrypted_response_enc' parameter in the RP metadata is ['A128CBC-HS256', 'A256CBC-HS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter,"In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_encrypted_response_enc | [""A128CBC-HS256"", ""A256CBC-HS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_encrypted_response_enc and it has to contain the content encryption algorithms.,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-userinfo_signed_response_alg,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'userinfo_signed_response_alg' parameter in the RP metadata is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'userinfo_signed_response_alg' parameter,In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_signed_response_alg,The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-userinfo_signed_response_alg-not_supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_signed_response_alg' parameter in the RP metadata does not contain the values ['none', 'HS256', 'HS384', 'HS512']. Not Compliant otherwise",JWT parameter not in JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_signed_response_alg | [""none"", ""HS256"", ""HS384"", ""HS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-userinfo_signed_response_alg-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_signed_response_alg' parameter in the RP metadata is ['RS256', 'RS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_signed_response_alg | [""RS256"", ""RS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",RP,,"Entity Configuration response RP | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-response_types,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'response_types' parameter in the RP metadata ('openid_relying_party' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'response_types' parameter,In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.response_types,The RP metadata of type 'openid_relying_party' must contain the parameter response_types and it has to be a JSON array containing the value 'code',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-response_types-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'response_types' parameter in the RP metadata is a JSON Array. Not Compliant otherwise,JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain the 'response_types' parameter as a json,In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_relying_party | {""type"": ""object"", ""properties"": {""response_types"": {""type"": ""array""}}, ""required"": [""response_types""]}",The RP metadata of type 'openid_relying_party' must contain the parameter response_types and it has to be a JSON array containing the value 'code',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-response_types-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'response_types' parameter in the RP metadata contains the value 'code'. Not Compliant otherwise,JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain in the 'response_types' the value 'code',In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code',RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.response_types[0] | [""code""]",The RP metadata of type 'openid_relying_party' must contain the parameter response_types and it has to be a JSON array containing the value 'code',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-trust_marks,RP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the RP's entity configuration contain the trust_marks parameter,"To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.",RP,,Entity Configuration response | body | [^\r\n]* | payload | trust_marks,Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Entity Configuration response-trust_marks-type,RP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP's entity configuration contain a correct trust_marks parameter,"To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array",RP,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_marks"": {""type"": ""array""}}, ""required"": [""trust_marks""]}",Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Introspection request-client_assertion,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_assertion parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request contain the client_assertion,The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.,RP,,Introspection request | body | client_assertion,The request to the Introspection Endpoint must contain the client_assertion parameter and it has to be a JWT signed with the RP's private key,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, +x,RP-Introspection request-client_assertion_type,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_assertion_type parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request contain the client_assertion_type,The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.,RP,,Introspection request | body | client_assertion_type,The request to the Introspection Endpoint must contain the client_assertion_type parameter and it has to be set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, +x,RP-Introspection request-client_assertion_type-type,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_assertion_type parameter in the request is urn:ietf:params:oauth:clientassertion-type:jwt-bearer, not compliant otherwise",HTTP parameter value,Correct Input,Introspection request,Does the Introspection Request contain correct type of client_assertion_type,The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer,RP,,Introspection request | body | client_assertion_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer,The request to the Introspection Endpoint must contain the client_assertion_type parameter and it has to be set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, +x,RP-Introspection request-client_assertion-type,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_assertion parameter in the request is a signed JWT, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request contain the client_assertion as a valid JWT,The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure,RP,,Introspection request | body | client_assertion,The request to the Introspection Endpoint must contain the client_assertion parameter and it has to be a JWT signed with the RP's private key,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, +x,RP-Introspection request-client_id,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_id parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request contain the client id of the RP making the request,The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.,RP,,Introspection request | body | client_id,The request to the Introspection Endpoint must contain the client_id parameter and it has to be an URI identifying the RP,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, +x,RP-Introspection request-client_id-type,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_id parameter in the request is an URI, not compliant otherwise",JSON parameter type,Correct Input,Introspection request,Does the Introspection Request contain correct type of client id of the RP making the request,The Introspection request made by the RP is taken and the value of the client_id parameter is an URI,RP,,"Introspection request | body | | {""type"":""object"", ""properties"":{""client_id"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""client_id""]}",The request to the Introspection Endpoint must contain the client_id parameter and it has to be an URI identifying the RP,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,Problema implementazione,F,F,failed,URL รจ HTTP non HTTPS +x,RP-Introspection request-client_id-value,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the client_id parameter in the request identifies the RP, not compliant otherwise",HTTP parameter value,Correct Input,Introspection request,Does the Introspection Request contain correct client id of the RP making the request,The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP,RP,,Introspection request | body | client_id | X_url_RP,The request to the Introspection Endpoint must contain the client_id parameter and it has to be an URI identifying the RP,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, +o,RP-Introspection request-method-correct,Introspection Request,Introspection request,Trigger Introspection request,"Compliant if the introspection request is sent via HTTP POST, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request use HTTP POST,The Introspection request made by the RP use HTTP POST,RP,,Introspection request | url | POST,The request to the Introspection Endpoint must use HTTP POST,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,L,Incorrect handling,,,,,,,,FALSE,x,,no,"[""s_CIE_introsp""]",E,,P,P,passed, +x,RP-Introspection request-token,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the token parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Introspection request,Does the Introspection Request contain the token,The Introspection request made by the RP is taken and the presence of the token parameter is checked.,RP,,Introspection request | body | token,The request to the Introspection Endpoint must contain the token for which the request is made,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, +x,RP-Introspection request-token-type,Introspection Request's parameters,Introspection request,Trigger Introspection request,"Compliant if the token parameter in the request is a valid JWT, not compliant otherwise",HTTP parameter type,Correct Input,Introspection request,Does the Introspection Request contain correct type token,The Introspection request made by the RP is taken and the type of the token parameter is a JWT,RP,,Introspection request | body | token=([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*)(?:&|$),The request to the Introspection Endpoint must contain the token for which the request is made,SPID_CIE_OIDC#Introspection-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/introspection_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s_CIE_introsp""]",E,,P,P,passed, +x,RP-Revocation request-client_assertion,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the client_assertion parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Revocation request,Does the Revocation Request contain the client assertion,The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.,RP,,Revocation request | body | client_assertion,The request to the Revocation Endpoint must contain the client_assertion parameter and it has to be a JWT signed with the RP's private key,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,RP-Revocation request-client_assertion_type,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the client_assertion_type parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Revocation request,Does the Revocation Request contain the client_assertion_type,The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.,RP,,Revocation request | body | client_assertion_type,The request to the Revocation Endpoint must contain the client_assertion_type parameter and it has to be set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,RP-Revocation request-client_assertion_type-value,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the client_assertion_type parameter in the request is urn:ietf:params:oauth:clientassertion-type:jwt-bearer, not compliant otherwise",HTTP parameter value,Correct Input,Revocation request,Does the Revocation Request contain correct client_assertion_type,The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer,RP,,Revocation request | body | client_assertion_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer,The request to the Revocation Endpoint must contain the client_assertion_type parameter and it has to be set to urn:ietf:params:oauth:clientassertion-type:jwt-bearer,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,RP-Revocation request-client_assertion-type,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the client_assertion parameter in the request is a valid JWT, not compliant otherwise",HTTP parameter type,Correct Input,Revocation request,Does the Revocation Request contain correct type of client assertion,The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure,RP,,Revocation request | body | client_assertion=([\w]+)\.([\w]+)\.([\w\-]*)(?:&|$),The request to the Revocation Endpoint must contain the client_assertion parameter and it has to be a JWT signed with the RP's private key,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,RP-Revocation request-client_id,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the client_id parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Revocation request,Does the Revocation Request contain the client_id of the RP making the request,The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.,RP,,Revocation request | body | client_id,The request to the Revocation Endpoint must contain the client_id parameter and it has to be an URI identifying the RP,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,Is revocation bound to a specific client (IsBoundToClient),,,,,,,TRUE,,,no,"[""s1""]",E,,P,P,passed, +x,RP-Revocation request-client_id-different-value,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the Revocation response is an HTTP 401 because of invalid_client, not compliant otherwise",Param Response,Wrong Input,Revocation request,Does the Revocation Request contain correct client_id of the RP making the request,The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP,RP,Revocation request | body | (?<=client_id=)([^&]+) | https://example.com,Revocation response | head | 401 | body | invalid_client,The request to the Revocation Endpoint must contain the client_id parameter and it has to be an URI identifying the RP,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Active,L,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",Is revocation bound to a specific client (IsBoundToClient),,,,,,,TRUE,,,no,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 400 invalid_request +x,RP-Revocation request-client_id-value,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the client_id parameter in the request is an URI, not compliant otherwise",JSON parameter type,Correct Input,Revocation request,Does the Revocation Request contain correct type of client_id of the RP making the request,The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP,RP,,"Revocation request | body | | {""type"":""object"", ""properties"":{""client_id"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""client_id""]}",The request to the Revocation Endpoint must contain the client_id parameter and it has to be an URI identifying the RP,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,Is revocation bound to a specific client (IsBoundToClient),,,,,,,TRUE,,,no,"[""s1""]",E,Problema implementazione,F,F,failed,URL รจ HTTP non HTTPS +x,RP-Revocation request-token,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the token parameter in the request is present, not compliant otherwise",HTTP parameter presence,Correct Input,Revocation request,Does the Revocation Request contain the token for which the request is made,The Revocation request made by the RP is taken and the presence of the token parameter is checked.,RP,,Revocation request | body | token,The request to the Revocation Endpoint must contain the token for which the request is made,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,RP-Revocation request-token-type,Revocation Request's parameters,Revocation request,Trigger Revocation request,"Compliant if the token parameter in the request is a valid JWT, not compliant otherwise",HTTP parameter type,Correct Input,Revocation request,Does the Revocation Request contain correct type of token for which the request is made,The Revocation request made by the RP is taken and the value of the token parameter is a JWT.,RP,,Revocation request | body | token=([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*)(?:&|$),The request to the Revocation Endpoint must contain the token for which the request is made,SPID_CIE_OIDC#Revocation-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/revocation_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-Assertion-aud,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the aud claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token request,Does the signed JWT assertion contain the aud claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.",RP,,Token request | body | (?<=client_assertion=)([^&]+) | payload | aud,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the aud claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-Assertion-aud-type,Token request's client assertion,Token request,Trigger Token request,"Compliant if the aud claim in the client assertion JWT is set to an URL, not Compliant otherwise",JWT parameter type,Correct Input,Token request,Does the signed JWT assertion contain a correct aud claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL",RP,,"Token request | body | (?<=client_assertion=)([^&]+) | payload | | {""type"": ""object"", ""properties"": {""aud"": {""type"": ""array"", ""format"": ""uri-reference""}}, ""required"": [""aud""]}","The client assertion parameter contains a single (signed) JWT which must contain, among others, the aud claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-Assertion-exp,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the exp claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token request,Does the signed JWT assertion contain the exp claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present",RP,,Token request | body | (?<=client_assertion=)([^&]+) | payload | exp,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the exp claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-Assertion-exp-type,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the exp claim and its value is a timestamp, not Compliant otherwise",JWT parameter type,Correct Input,Token request,Does the signed JWT assertion contain a correct exp claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap",RP,,"Token request | body | (?<=client_assertion=)([^&]+) | payload | | {""type"": ""object"", ""properties"": {""exp"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""exp""]}","The client assertion parameter contains a single (signed) JWT which must contain, among others, the exp claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-Assertion-iat,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the iat claim and its value is a timestamp before the current one, not Compliant otherwise",JWT parameter presence,Correct Input,Token request,Does the signed JWT assertion contain the iat claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.",RP,,Token request | body | (?<=client_assertion=)([^&]+) | payload | iat,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the iat claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-Assertion-iat-type,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the iat claim and its value is a timestamp, not Compliant otherwise",JWT parameter type,Correct Input,Token request,Does the signed JWT assertion contain a correct iat claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap",RP,,"Token request | body | (?<=client_assertion=)([^&]+) | payload | | {""type"": ""object"", ""properties"": {""iat"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""iat""]}","The client assertion parameter contains a single (signed) JWT which must contain, among others, the iat claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-Assertion-iss,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the iss claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token request,Does the JWT payload contain 'iss' claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.",RP,,Token request | body | (?<=client_assertion=)([^&]+) | payload | iss,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the iss claim. This claim must be set to the client ID of the RP creating the request.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-Assertion-iss-value,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the iss claim and it is set to the client ID of the RP making the request, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Token request,Does the JWT payload contain a correct 'iss' claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP",RP,Token request | body | (?<=client_assertion=)([^&]+) | payload | iss,Entity Configuration response RP | body | [^\r\n]* | payload | metadata.openid_relying_party.client_id | client_id,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the iss claim. This claim must be set to the client ID of the RP creating the request.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Token request-Assertion-jti,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the jti claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token request,Does the signed JWT assertion contain the jti claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.",RP,,Token request | body | (?<=client_assertion=)([^&]+) | payload | jti,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the jti claim.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-Assertion-sub,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the sub claim, not Compliant otherwise",JWT parameter presence,Correct Input,Token request,Does the signed JWT assertion contain the sub claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.",RP,,Token request | body | (?<=client_assertion=)([^&]+) | payload | sub,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the sub claim. This claim must be set to the client ID of the RP creating the request.",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-Assertion-sub-value,Token request's client assertion,Token request,Trigger Token request,"Compliant if the client assertion JWT contains the sub claim and it is set to the same value of the iss claim, not Compliant otherwise",JWT Check-Save to JWT_same message,Correct Input,Token request,Does the JWT payload contain a correct sub claim,"This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value",RP,Token request | body | (?<=client_assertion=)([^&]+) | payload | iss,payload | sub | saved_iss,"The client assertion parameter contains a single (signed) JWT which must contain, among others, the sub claim. This claim must be set to the same value of iss",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Active,M,Mismatch of parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-client_assertion,Token request,Token request,Trigger Token request,"Compliant if the Token request contains the client_assertion parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token request,Does the token request contain the client_assertion,The token request sent by the RP must contain client_assertion parameter in the URL,RP,,Token request | body | client_assertion,An RP doing a Token Request must insert the client_assertion parameter in the request and it is a signed JWT,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-client_assertion_type,Token request,Token request,Trigger Token request,"Compliant if the Token Request contains the client_assertion_type parameter,not Compliant otherwise",HTTP parameter presence,Correct Input,Token request,Does the token request contain the client_assertion_type,The token request sent by the RP must contain client_assertion_type parameter in the URL,RP,,Token request | body | client_assertion_type,An RP doing a Token Request must insert the client_assertion_type parameter in the request and it must be set to 'urn:ietf:params:oauth:client-assertion-type:jwtbearer',SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-client_assertion_type-value,Token request,Token request,Trigger Token request,"Compliant if the client_assertion_type parameter in the request is urn:ietf:params:oauth:clientassertion-type:jwt-bearer, not compliant otherwise",HTTP parameter value,Correct Input,Token request,Does the client_assertion_type parameter in the token request contain the correct type,The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer,RP,,Token request | body | client_assertion_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer,An RP doing a Token Request must insert the client_assertion_type parameter in the request and it must be set to 'urn:ietf:params:oauth:client-assertion-type:jwtbearer',SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-client_assertion-signature,Token request's client assertion,Token request,Trigger Token request,"Compliant if the signature of the client_assertion parameter in the token request is valid, not Compliant otherwise",JWT signature check,Correct Input,Token request,Does the client_assertion in the token request have a correct signature,The client_assertion parameter in the token request sent by the RP must be a JWT with a signature,RP,,Token request | body | (?<=client_assertion=)([^&]+) | X_key_core_RP,An RP doing a Token Request must insert the client_assertion parameter in the request and it is a signed JWT,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Token request-client_assertion-type,Token request,Token request,Trigger Token request,"Compliant if the client_assertion parameter in the token request is a valid JWT, not Compliant otherwise",HTTP parameter type,Correct Input,Token request,Does the client_assertion in the token request contain a JWT,The client_assertion parameter in the token request sent by the RP must be a JWT,RP,,Token request | body | client_assertion=([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*)(?:&|$),An RP doing a Token Request must insert the client_assertion parameter in the request and it is a signed JWT,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-client_id,Token request,Token request,Trigger Token request,"Compliant if the token request contains the client_id parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token request,Does the token request contain the client_id,The token request sent by the RP must contain client_id parameter in the URL,RP,,Token request | body | client_id,An RP doing a Token Request must insert the client_id parameter in the request and it has to be an HTTPS URL,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-code,Token request,Token request,Trigger Token request,"Compliant if the Token Request contains the code parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token request,Does the token request contain the code parameter,The token request sent by the RP must contain code parameter in the URL,RP,,Token request | body | code,"An RP doing a Token Request must set the grant_type parameter in the request to 'authorization_code', than it must contain the code and the code_verifier",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-code_verifier,Token request,Token request,Trigger Token request,"Compliant if the Token Request contains the code_verifier parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token request,Does the token request contain the code_verifier parameter,The token request sent by the RP must contain code_verifier parameter in the URL,RP,,Token request | body | code_verifier,"An RP doing a Token Request must set the grant_type parameter in the request to 'authorization_code', than it must contain the code and the code_verifier",SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-grant_type,Token request,Token request,Trigger Token request,"Compliant if the Token Request contains the grant_type parameter, not Compliant otherwise",HTTP parameter presence,Correct Input,Token request,Does the token request contain the grant_type parameter,The token request sent by the RP must contain grant_type parameter in the URL,RP,,Token request | body | grant_type,An RP doing a Token Request must insert the grant_type parameter in the request,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-grant_type-value,Token request,Token request,Trigger Token request,"Compliant if the Token Request set the grant_type parameter to authorization_code or refresh_token, not Compliant otherwise",HTTP list value,Correct Input,Token request,Does the token request contain a correct grant_type parameter,The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked,RP,,"Token request | body | (?<=grant_type=)([^&]+) | [""authorization_code"", ""refresh_token""]",An RP doing a Token Request must set the grant_type parameter in the request to 'authorization_code' or 'refresh_token',SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-http_post,Token request,Token request,Trigger Token request,"Compliant if the Token request is sent in HTTP POST, not Compliant otherwise",HTTP parameter type,Correct Input,Token request,Does the token request use HTTP POST,The token request sent by the RP must be sent in HTTP POST,RP,,Token request | head | POST,An RP doing a Token Request must be done via HTTP POST,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Token request-url-client_id-type,Token request,Token request,Trigger Token request,Compliant if the token request contains a client_id parameter and it is an HTTPS URL. Not Compliant otherwise,JSON parameter type,Correct Input,Token request,Does the client_id in the token request contain an HTTPS URL,The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL,RP,,"Token request | body | | {""type"":""object"", ""properties"":{""client_id"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""client_id""]})",An RP doing a Token Request must insert the client_id parameter in the request and it has to be an HTTPS URL,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,x,,no,"[""s1""]",E,Problema implementazione,F,F,failed,URL รจ HTTP non HTTPS +x,RP-Token request-url-client_id-value,Token request,Token request,Trigger Token request,Compliant if the token request contains a client_id parameter identifying the RP. Not Compliant otherwise,HTTP parameter value,Correct Input,Token request,Does the client_id in the token request identifies the RP,The client_id parameter in the URL of the token request is taken. This parameter must identify the RP,RP,,Token request | body | client_id | X_https_RP,An RP doing a Token Request must insert the client_id parameter in the request and it has to be an HTTPS URL,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-Token response-id_token-payload-aud-value,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token has the aud parameter set to the RP's client ID, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Token response,Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id',"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'",RP,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | aud[0]",Entity Configuration response RP | body | [^\r\n]* | payload | iss | saved_iss,The JWT ID Token Payload requires the aud parameter and it must contain the RP's client_id,SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Active,M,Mismatch of parameter,Is the token audience set (HasCorrectAudience),ID Token has aud claim,,,,"3.3.7, 3.3.8",,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, +x,RP-User logout-token-revocation,User's logout,Revocation request,Trigger User logout,"Compliant if the RP sends a Revocation Request regarding the access token, not compliant otherwise",HTTP parameter presence,Correct Input,User logout,Does the RP revoke the Token when the User logs out,"In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token",RP,,Revocation request | body | token,"When the user logs out, the RP MUST revoke the Access Token in its possession",SPID_CIE_OIDC#logout; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/logout.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,P,P,passed, +x,RP-Userinfo request-access-token,RP's UserInfo request,Userinfo request,Trigger Userinfo request,"Compliant if the the authorization field in the header of the UserInfo Request contains an Access Token, not compliant otherwise",HTTP parameter presence,Correct Input,Userinfo request,Does the RP contain the Access Token in the UserInfo request,The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token,RP,,UserInfo request | head | Authorization,"In order to obtain the requested claims, the RP sends a request to the UserInfo Endpoint using the Access Token",SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,RP-Userinfo request-access-token-valid,RP's UserInfo request,Userinfo request,Trigger Userinfo request,"Compliant if the authorization field in the header of the UserInfo Request contains a valid Access Token (JWT), not compliant otherwise",HTTP parameter type,Correct Input,Userinfo request,Does the RP contain a valid Access Token in the UserInfo request,The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token,RP,,UserInfo request | head | Authorization:\s?Bearer\s?([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In order to obtain the requested claims, the RP sends a request to the UserInfo Endpoint using the Access Token",SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, +x,SA-Entity Configuration response-metadata-logo_uri-type,SA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the TA metadata contain correct type logo_uri claim,In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file,SA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://.*\\.svg$""}},""required"":[""logo_uri""]}",The SA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-signature,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",SA,,Entity Configuration response | body | [^\r\n]* | X_key_SA,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-sub-value,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does entity configuration SA contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",SA,,Entity Configuration response | body | [^\r\n]* | payload | sub | X_url_SA,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-contacts,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'contacts' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the contacts parameter,In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The TA and SA metadata must contain the parameter contacts,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-federation_fetch_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_fetch_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_fetch_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_fetch_endpoint,The TA and SA metadata must contain the parameter federation_fetch_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-federation_list_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_list_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_list_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_list_endpoint,The TA and SA metadata must contain the parameter federation_list_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-federation_resolve_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_resolve_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_resolve_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_resolve_endpoint,The TA and SA metadata must contain the parameter federation_resolve_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-federation_trust_mark_status_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_trust_mark_status_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_trust_mark_status_endpoint,The TA and SA metadata must contain the parameter federation_trust_mark_status_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-homepage_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'homepage_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the homepage_uri parameter,In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.homepage_uri,The TA and SA metadata must contain the parameter homepage_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.28,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-logo_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'logo_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the logo_uri parameter,In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The TA and SA metadata must contain the parameter logo_uri and it must be in SVG format,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-organization_name,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'organization_name' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the organization_name parameter,In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The TA and SA metadata must contain the parameter organization_name,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-policy_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'policy_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the policy_uri parameter,In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The TA and SA metadata must contain the parameter policy_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SA,,"Entity Configuration response SA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-trust_marks,SA's entity configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'trust_marks' parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the entity configuration of the SA contain the trust marks,"The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.",SA,,Entity Configuration response | body | [^\r\n]* | payload | trust_marks,"The RP, OP or SA must include the trust marks in the entity configuration as a result of the onboarding process",SPID_CIE_OIDC#entity-configuration-leaves-and-intermediaries; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Configuration response-trust_marks-type,SA's entity configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'trust_marks' parameter is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the entity configuration of the SA contain a correct trust_marks parameter,"The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.",SA,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_marks"": {""type"": ""object"", ""additionalProperties"": {""type"": ""array""}}}, ""required"": [""trust_marks""]}","The RP, OP or SA must include the trust marks in the entity configuration as a result of the onboarding process",SPID_CIE_OIDC#entity-configuration-leaves-and-intermediaries; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Listing endpoint response-exposed,Entity Listing endpoint response,Entity Listing endpoint response,Trigger Entity Listing endpoint response,"Compliant if the Response contains a JSON list (array), not compliant otherwise",HTTP parameter type,Correct Input,Entity Listing endpoint response,Does the Entity expose the entity listing endpoint,"In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected",SA,,"Entity Listing response | body | [^\r\n]*.^\{(\s*""[^""]*""\s*:\s*(?:""[^""]*"",?|\[[^\r\n]*\],?|\{[^\r\n]*\},?)\s*)*\}$",This test simply checks if the entity exposes the /.well-known/openid-federation endpoint and if it,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-constraints,Entity Statement issued by the SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the constraints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the SA contain the constraints parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | constraints,The constraints parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-exp,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the exp parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the SA contain the exp parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | exp,The exp parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-exp-type,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the exp parameter is a timestamp, not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does Entity Statements issued by the SA contain a correct exp parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""exp"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""exp""]}",The exp parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-iat,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iat parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the SA contain the iat parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | iat,The iat parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-iat-type,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iat parameter is a timestamp, not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does Entity Statements issued by the SA contain a correct iat parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""iat"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""iat""]}",The iat parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-iss,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iss parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the SA contain the iss parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | iss,The iss parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-iss-value,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the client assertion JWT contains the iss claim and it is set to the client ID of the SA sending the Entity Statement, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Entity Statement response OP,Does the Entity Statement's JWT payload contain a correct 'iss' claim,"This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA",SA,Entity Configuration response SA | body | [^\r\n]* | payload | iss,Entity Statement response SA OP | url | client_assertion | payload | iss | conf_iss,The iss parameter is required in the Entity Statement released by the SA. Its value must be the Entity Identifier of the issuer of the statement,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Federation,Passive,M,Mismatch of parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-jwks,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the SA contain the jwks parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | jwks,The jwks parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-metadata_policy,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the metadata_policy parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the SA contain the metadata_policy parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | metadata_policy,The metadata_policy parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-release,SA's fetch Entity Statement Endpoint response regarding the Entity we are considering,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the SA's return the Entity Statement regarding the Entity we are considering, not compliant otherwise",HTTP parameter type,Correct Input,Entity Statement response OP,Does the SA correctly release the Entity statements,"After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.",SA,,Entity Statement response SA OP | body | [^\r\n]*.^([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"The Federation Authority or an Intermediary MUST publish the Leaf Entity Statement containing the Federation public keys of the onboarded Entity and the TMs released for it. An Entity publishes an ES related to a subordinate, at its Fetch Endpoint.",SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-signature,Entity statement issued by the SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the signature is verified, not compliant otherwise",JWT signature check,Correct Input,Entity Statement response OP,Does the SA correctly signs the Entity Statement,"In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header",SA,,Entity Statement response SA OP | body | [^\r\n]* | X_key_SA,Entity Statements must be signed,SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#firma-di-entity-statement,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-sub,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the sub parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the SA contain the sub parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | sub,The sub parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-claims,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the claims claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain the claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | claims,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-claims-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the claims claim is present and its value is a list, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain a correct claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""claims"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""claims""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim and it is a list",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-email,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the email claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | email,The issued Trust Marks must have the email claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response OP-trust_mark-email-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the email claim is of type string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain the correct type of email claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type "": ""object "", ""properties "": { ""email "": { ""type "": ""string "", ""format "": ""email "" } }, ""required "": [ ""email ""] } ",The issued Trust Marks must have the email claim as string,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-exp,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the exp claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the exp claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | exp,The issued Trust Marks must have the exp claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-exp-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the exp claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain the exp type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""exp"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""exp""]}",The issued Trust Marks must have the exp claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-fiscal_number-or-vat_number,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the fiscal_number or vat_number claim,nested JWT parameter type,Correct Input,Entity Statement response OP,Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim,"In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""fiscal_number"": {}, ""vat_number"":{}},""anyOf"":[{""required"":[""fiscal_number""]},{""required"":[""vat_number""]}]}},""required"":[""id_code""]}",The vat_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the fiscal_number claim. The fiscal_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the vat_number claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iat claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the iat claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iat,The issued Trust Marks must have the iat claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-iat-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iat claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain the correct iat type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""iat"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""iat""]}",The issued Trust Marks must have the iat claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-id,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the id claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the id claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-id_code,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the id_code claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id_code,The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-id_code-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the id_code claim is a JSON Object, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain correcty type of id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""id_code""]}",The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-id-value,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the id is present, has the structure /// and the entity_type and trustmark_profile parts of the URL have values among the allowed ones, not compliant otherwise",/ manual: check content,Correct Input,Entity Statement response OP,Does the Trust Mark contain a correct id claim,"The id of the trust mark must have the structure ///. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked. If it is present, than the structure of the id must be as described above. The entity type can be one among 'openid_relying_party', 'openid_provider', 'intermediary' 'oauth_resource', whereas the trustmark profile can be 'public' or private'",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id | openid_relying_party | openid_provider | intermediate | oauth_resource,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,Da capire come individuare che solo l'entity type sia all'interno dei valori dati,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-ipa_code,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim,nested JWT parameter type,Correct Input,Entity Statement response OP,Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": { ""id_code"": { ""type"": ""object"", ""properties"": {""ipa_code"": {}},""required"": [""ipa_code""]}},""required"": [""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response OP-trust_mark-ipa_code-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the ipa_code in the id_code claim of a trust mark is a string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""ipa_code"": { ""type"":""string""}},""required"":[""ipa_code""]}},""required"":[""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response OP-trust_mark-iss,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iss claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-iss-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the iss claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain a correct iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""iss"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""iss""]}",The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the logo_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-logo_uri-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the logo_uri claim is value is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain correct type of logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""logo_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""logo_uri""]}",The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-organization_name,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the organization_name claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_name,The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-organization_name-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the organization_name claim is type string and has value ""public"" or ""private"", not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain the correct type of organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""organization_name "": { ""type "": ย ""string "", ""enum "": [ ""private "", ย ""public ""]}}, ""required "": [ ""organization_name ""]}",The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-organization_type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the organization_type claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_type,The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +o,SA-Entity Statement response OP-trust_mark-organization_type-value,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the organization_type claim contains 'public' or 'private', not compliant otherwise",nested JWT parameter values,Correct Input,Entity Statement response OP,Does the Trust Mark contain correct value for organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | organization_type | [""public"", ""private""]",The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-policy_uri,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the policy_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain the policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | policy_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-policy_uri-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the policy_uri claim is present and its value is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain a correct policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""policy_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""policy_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-ref,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the ref claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | ref,The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-ref-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the ref claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain an URL in the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""ref"": { ""type"": ""string"", ""format"": ""uri"" } }, ""required"": [""ref""] }",The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-sa_profile,Trust Mark generated for an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the sa_profile claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the issued intermediary Trust Mark contain the sa_profile claim,"A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sa_profile,"In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +o,SA-Entity Statement response OP-trust_mark-sa_profile-value,Trust Mark generated for an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the sa_profile claim is 'full' or 'light', not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the issued intermediary Trust Mark contain a correct sa_profile claim,"A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""sa_profile"": { ""type "": ย ""string "", ""enum "": [ ""full "", ย ""light ""]}}, ""required "": [ ""sa_profile ""]}","In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-service_documentation,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the service_documentation claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain the service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | service_documentation,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-service_documentation-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the service_documentation claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain a correct service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""service_documentation"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""service_documentation""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-signature,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the signature of the trust marks in the entity statement is valid, not compliant otherwise",nested JWT signature check,Correct Input,Entity Statement response OP,Does the SA correctly sign the Trust marks,"To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | X_key_SA,The Trust Marks (TM) are signed JWT,SPID_CIE_OIDC#Trust-Marks; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-sub,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the sub claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sub,The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +o,SA-Entity Statement response OP-trust_mark-sub-type,Trust Mark generated by TA or SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the sub claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain a correct sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""sub"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""sub""]}",The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-tos_uri,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the tos_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain the tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | tos_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_mark-tos_uri-type,Trust Mark generated for an AA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the tos_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain a correct tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL",SA,,"Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""tos_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""tos_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response OP-trust_marks,Entity Statement issued by an SA,Entity Statement response SA OP,Trigger Entity Statement response SA OP,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the SA contain the trust_marks parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked",SA,,Entity Statement response SA OP | body | [^\r\n]* | payload | trust_marks,The trust_marks parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-constraints,Entity Statement issued by the SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the constraints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the SA contain the constraints parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | constraints,The constraints parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-exp,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the exp parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the SA contain the exp parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | exp,The exp parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-exp-type,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the exp parameter is a timestamp, not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response RP,Does Entity Statements issued by the SA contain a correct exp parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""exp"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""exp""]}",The exp parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-iat,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iat parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the SA contain the iat parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | iat,The iat parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-iat-type,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iat parameter is a timestamp, not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response RP,Does Entity Statements issued by the SA contain a correct iat parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""iat"": {""type"": ""integer"", ""minimum"": 0}}, ""required"": [""iat""]}",The iat parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-iss,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iss parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the SA contain the iss parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | iss,The iss parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-iss-value,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the client assertion JWT contains the iss claim and it is set to the client ID of the SA sending the Entity Statement, not Compliant otherwise",JWT Check-Save to JWT,Correct Input,Entity Statement response RP,Does the Entity Statement's JWT payload contain a correct 'iss' claim,"This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA",SA,Entity Configuration response SA | body | [^\r\n]* | payload | iss,Entity Statement response SA RP | url | client_assertion | payload | iss | conf_iss,The iss parameter is required in the Entity Statement released by the SA. Its value must be the Entity Identifier of the issuer of the statement,SPID_CIE_OIDC#Token-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#request,OIDC Federation,Passive,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-jwks,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the SA contain the jwks parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | jwks,The jwks parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-metadata_policy,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the metadata_policy parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the SA contain the metadata_policy parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | metadata_policy,The metadata_policy parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response RP-metadata_policy-jwks,Metadata policy in an Entity Statement issued by the SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the jwks parameter is present in the openid_relying_party type and it contains the RP's JWKS (type json), not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response RP,Does the SA's metadata policy for an RP contain the jwks parameter,"In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations",SA,,"Entity Statement response SA RP | body | [^\n\r]* | payload | .metadata_policy.openid_relying_party.jwks | {""type"":""object"", ""properties"": {""value"" :{}}, ""required"": [""value""]}",The jwks claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that an SA establishes for an RP that is its direct descendant,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-release,SA's fetch Entity Statement Endpoint response regarding the Entity we are considering,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the SA's return the Entity Statement regarding the Entity we are considering, not compliant otherwise",HTTP parameter type,Correct Input,Entity Statement response RP,Does the SA correctly release the Entity statements,"After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.",SA,,Entity Statement response SA RP | body | [^\r\n]*.^([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"The Federation Authority or an Intermediary MUST publish the Leaf Entity Statement containing the Federation public keys of the onboarded Entity and the TMs released for it. An Entity publishes an ES related to a subordinate, at its Fetch Endpoint.",SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-signature,Entity statement issued by the SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the signature is verified, not compliant otherwise",JWT signature check,Correct Input,Entity Statement response RP,Does the SA correctly signs the Entity Statement,"In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header",SA,,Entity Statement response SA RP | body | [^\r\n]* | X_key_SA,Entity Statements must be signed,SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#firma-di-entity-statement,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-sub,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the sub parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the SA contain the sub parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | sub,The sub parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-claims,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the claims claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain the claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | claims,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-claims-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the claims claim is present and its value is a list, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain a correct claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""claims"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""claims""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim and it is a list",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-email,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the email claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | email,The issued Trust Marks must have the email claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-email-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the email claim is of type string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain the correct type of the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type "": ""object "", ""properties "": { ""email "": { ""type "": ""string "", ""format "": ""email "" } }, ""required "": [ ""email ""] } ",The issued Trust Marks must have the email claim as string,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-exp,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the exp claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the exp claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | exp,The issued Trust Marks must have the exp claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response RP-trust_mark-exp-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the exp claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain the exp type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""exp"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""exp""]}",The issued Trust Marks must have the exp claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-fiscal_number-or-vat_number,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the fiscal_number or vat_number claim,nested JWT parameter type,Correct Input,Entity Statement response RP,Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim,"In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""fiscal_number"": {}, ""vat_number"":{}},""anyOf"":[{""required"":[""fiscal_number""]},{""required"":[""vat_number""]}]}},""required"":[""id_code""]}",The vat_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the fiscal_number claim. The fiscal_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the vat_number claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iat claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the iat claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iat,The issued Trust Marks must have the iat claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iat type is in UNIX Timestamp in the trust mark payload, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain the correct iat type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""iat"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""iat""]}",The issued Trust Marks must have the iat claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,OP-Token response-id_token-payload-nbf,ID Token Payload,Token response,Trigger Token response,"Compliant if the ID Token contains the nbf claim, not Compliant otherwise",/ not to do,Correct Input,Token response,Does the issued JWT ID Token contain the 'nbf' parameter in the Payload,"The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nbf' parameter in the Payload is checked.",OP,,"Token response | body | (?<=""id_token"": "")[^""]+ | payload | nbf",The JWT ID Token Payload requires the nbf parameter and it has to be equal to iat,External: solo SPID | SPID_CIE_OIDC#Token-Endpoint-ID-Token; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/token_endpoint.html#id-token,OIDC Core,Passive,,,,,,,,,,FALSE,x,,,,,,,Manca parametro nbf,, +,SA-Entity Statement response RP-trust_mark-id,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the id claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the id claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-id_code,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the id_code claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id_code,The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-id_code-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the id_code claim is a JSON Object, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain correcty type of id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""id_code""]}",The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-id-value,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the id is present, has the structure /// and the entity_type and trustmark_profile parts of the URL have values among the allowed ones, not compliant otherwise",/ manual: check content,Correct Input,Entity Statement response RP,Does the Trust Mark contain a correct id claim,"The id of the trust mark must have the structure ///. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked. If it is present, than the structure of the id must be as described above. The entity type can be one among 'openid_relying_party', 'openid_provider', 'intermediary' 'oauth_resource', whereas the trustmark profile can be 'public' or private'",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id | openid_relying_party | openid_provider | intermediate | oauth_resource,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,Da capire come individuare che solo l'entity type sia all'interno dei valori dati,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-ipa_code,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim,nested JWT parameter type,Correct Input,Entity Statement response RP,Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": { ""id_code"": { ""type"": ""object"", ""properties"": {""ipa_code"": {}},""required"": [""ipa_code""]}},""required"": [""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-ipa_code-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the ipa_code in the id_code claim of a trust mark is a string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""ipa_code"": { ""type"":""string""}},""required"":[""ipa_code""]}},""required"":[""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response RP-trust_mark-iss,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iss claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response RP-trust_mark-iss-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the iss claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain a correct iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""iss"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""iss""]}",The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the logo_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-logo_uri-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the logo_uri claim is value is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain correct type of logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""logo_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""logo_uri""]}",The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-organization_name,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the organization_name claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_name,The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response RP-trust_mark-organization_name-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the organization_name claim is type string and has value ""public"" or ""private"", not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain the correct type of organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""organization_name "": { ""type "": ย ""string "", ""enum "": [ ""private "", ย ""public ""]}}, ""required "": [ ""organization_name ""]}",The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-organization_type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the organization_type claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_type,The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-organization_type-value,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the organization_type claim contains 'public' or 'private', not compliant otherwise",nested JWT parameter values,Correct Input,Entity Statement response RP,Does the Trust Mark contain correct value for organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | organization_type | [""public"", ""private""]",The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-policy_uri,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the policy_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain the policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | policy_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-policy_uri-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the policy_uri claim is present and its value is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain a correct policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""policy_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""policy_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-ref,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the ref claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | ref,The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response RP-trust_mark-ref-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the ref claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain an URL in the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks.trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""ref"": { ""type"": ""string"", ""format"": ""uri"" } }, ""required"": [""ref""] }",The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Entity Statement response RP-trust_mark-sa_profile,Trust Mark generated for an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the sa_profile claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the issued intermediary Trust Mark contain the sa_profile claim,"A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sa_profile,"In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +o,SA-Entity Statement response RP-trust_mark-sa_profile-value,Trust Mark generated for an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the sa_profile claim is 'full' or 'light', not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the issued intermediary Trust Mark contain a correct sa_profile claim,"A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""sa_profile"": { ""type "": ย ""string "", ""enum "": [ ""full "", ย ""light ""]}}, ""required "": [ ""sa_profile ""]}","In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-service_documentation,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the service_documentation claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain the service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | service_documentation,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-service_documentation-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the service_documentation claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain a correct service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""service_documentation"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""service_documentation""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-signature,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the signature of the trust marks in the entity statement is valid, not compliant otherwise",nested JWT signature check,Correct Input,Entity Statement response RP,Does the SA correctly sign the Trust marks,"To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | X_key_SA,The Trust Marks (TM) are signed JWT,SPID_CIE_OIDC#Trust-Marks; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-sub,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the sub claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sub,The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-sub-type,Trust Mark generated by TA or SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the sub claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain a correct sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""sub"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""sub""]}",The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-tos_uri,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the tos_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain the tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | tos_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_mark-tos_uri-type,Trust Mark generated for an AA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the tos_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain a correct tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL",SA,,"Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""tos_uri"": {""type"": ""string"", ""format"": ""uri-reference"", ""pattern"": ""^https://""}}, ""required"": [""tos_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +,SA-Entity Statement response RP-trust_marks,Entity Statement issued by an SA,Entity Statement response SA RP,Trigger Entity Statement response SA RP,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the SA contain the trust_marks parameter,"In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked",SA,,Entity Statement response SA RP | body | [^\r\n]* | payload | trust_marks,The trust_marks parameter is required in the Entity Statement released by the SA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Fetch Entity Statement response RP-exposed,Fetch Entity Statement Endpoint endpoint response,Fetch Entity Statement response SA RP,Trigger Fetch Entity Statement response SA RP,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Fetch Entity Statement response RP,Does the Entity expose the fetch entity statement endpoint,"In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.",SA,,Fetch Entity Statement response SA RP | body | [^\r\n]*.^([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the fetch entity statement endpoint. It returns the ESs regarding a direct subordinate subject. For obtaining the ES of an Entity, at least its Entity identifier is needed",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Trust Mark status response OP-exposed-OP,Trust Mark Status Response,Trust Mark status response SA OP (endpoint response),Trigger Trust Mark status response SA OP (endpoint response),HTTP 200 OK response containing the claim 'active' set to true,/ manual: TM check content,Correct Input,Trust Mark status response OP,Does the SA Trust Mark Status endpoint effectively verify valid Trust Marks of OP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the OP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",SA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Trust Mark status response OP-not_valid-trust_mark-OP,Trust Mark status endpoint response,Trust Mark status response SA OP (endpoint response),Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response OP,Does the SA's trust mark status endpoint correctly refuses a not-valid id Trust Marks OP,"In order to check if the trust mark status endpoint of a SA correctly refuses invalid trust marks OP, a invalid trust mark can be sent to the endpoint and the response analyzed",SA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Trust Mark status response RP-exposed-RP,Trust Mark Status Response,Trust Mark status response SA RP (endpoint response),Trigger Trust Mark status response SA RP (endpoint response),HTTP 200 OK response containing the claim 'active' set to true,/ manual: TM check content,Correct Input,Trust Mark status response RP,Does the SA Trust Mark Status endpoint effectively verify valid Trust Marks of RP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the RP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",SA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Trust Mark status response RP-not_valid-trust_mark-RP,Trust Mark status endpoint response,Trust Mark status response SA RP (endpoint response),Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response RP,Does the SA's trust mark status endpoint correctly refuses a not-valid id Trust Marks RP,"In order to check if the trust mark status endpoint of a SA correctly refuses invalid trust marks RP, a invalid trust mark can be sent to the endpoint and the response analyzed",SA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,SA-Trust Mark status response SA-different-entity-trust_mark,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status invalid request,"Compliant if the Trust Mark status response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response SA,Does the SA checks Trust Marks not issued by the Entity,"In this test, a valid Trust Mark issued by another entity is sent to an SA. If it validates the Trust Mark, than is not compliant with the specifications",SA,,,trust mark status endpoint: allows an Entity to test if a TM is still active or not. The request MUST be sent to the subject that has released that TM.,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +o,SA-Trust Mark status response SA-revocated-trust_mark,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status endpoint request with invalidated Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response SA,Does the SA invalidate revocated trust marks,"In order to check if a SA correctly invalidate a Trust Mark, a Trust Mark revocation request on a Trust Mark has to be made and then the trust mark status endpoint must be fetched. If the response says that the trust mark is invalid, than it is correctly invalidated, otherwise the SA is not compliant with the specification",SA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, +x,TA-Entity Configuration response-constraints,TA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the constraints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked",TA,,Entity Configuration response | body | [^\r\n]* | payload | constraints,TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response-constraints-type,TA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the constraints parameter is a JSON object, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object",TA,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""constraints"": {""type"": ""object"", ""properties"": {""max_path_length"": {}}, ""required"": [""max_path_length""]}, ""required"": [""constraints""]}}",TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response-constraints-value,TA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the constraints parameter contains the max_path_length attribute, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length',"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length",TA,,Entity Configuration response | body | [^\r\n]* | payload | constraints.max_path_length,TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response-jwks,Federation Configuration (TA's Entity Configuration),Entity Configuration response,Trigger Entity Configuration response,"Compliant if the TA's Entity Configuration response contains the TA's public keys, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the Federation Configuration contain the TA public keys,"The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present",TA,,Entity Configuration response | body | [^\r\n]* | payload | jwks,"The Federation configuration contains the Trust Anchor public key for the signature operations, the maximum number of Intermediaries allowed between a Leaf and the Trust Anchor (max_path length) and the authorities who are enabled to issue the Trust Marks (trust_marks_issuers).",SPID_CIE_OIDC#Configuration-of-the-federation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/la_federazione_delle_identita.html#configurazione-della-federazione,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response-metadata-contacts,TA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'contacts' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the Entity's metadata contain the contacts parameter,In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The TA and SA metadata must contain the parameter contacts,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response-metadata-federation_fetch_endpoint,TA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_fetch_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the Entity's metadata contain the federation_fetch_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_fetch_endpoint,The TA and SA metadata must contain the parameter federation_fetch_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response-metadata-federation_list_endpoint,TA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_list_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the Entity's metadata contain the federation_list_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_list_endpoint,The TA and SA metadata must contain the parameter federation_list_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response-metadata-federation_resolve_endpoint,TA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_resolve_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the Entity's metadata contain the federation_resolve_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_resolve_endpoint,The TA and SA metadata must contain the parameter federation_resolve_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response-metadata-federation_trust_mark_status_endpoint,TA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'federation_trust_mark_status_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter,In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_trust_mark_status_endpoint,The TA and SA metadata must contain the parameter federation_trust_mark_status_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response-metadata-homepage_uri,TA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'homepage_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the Entity's metadata contain the homepage_uri parameter,In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.homepage_uri,The TA and SA metadata must contain the parameter homepage_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.28,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response-metadata-logo_uri,TA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'logo_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the Entity's metadata contain the logo_uri parameter,In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The TA and SA metadata must contain the parameter logo_uri and it must be in SVG format,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro logo_uri +x,TA-Entity Configuration response-metadata-logo_uri-type,TA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the TA metadata contain correct type logo_uri claim,In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file,TA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://.*\\.svg$""}},""required"":[""logo_uri""]}",The TA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,HTTP non HTTPS +x,TA-Entity Configuration response-metadata-organization_name,TA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'organization_name' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the Entity's metadata contain the organization_name parameter,In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The TA and SA metadata must contain the parameter organization_name,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro organization_name +x,TA-Entity Configuration response-metadata-policy_uri,TA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'policy_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the Entity's metadata contain the policy_uri parameter,In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The TA and SA metadata must contain the parameter policy_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro policy_uri +x,TA-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",TA,,"Entity Configuration response TA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,F,P,passed,[PRIMA] There is only: federation_entity +x,TA-Entity Configuration response-signature,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",TA,,Entity Configuration response | body | [^\r\n]* | X_key_TA,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Signature non corretta +x,TA-Entity Configuration response-sub-value,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does entity configuration TA contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",TA,,Entity Configuration response | body | [^\r\n]* | payload | sub | X_url_TA,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response-trust_marks_issuers,TA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks_issuers parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does TA's Entity configuration contain the trust_marks_issuers parameter,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked",TA,,Entity Configuration response | body | [^\r\n]* | payload | trust_mark_issuers,TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Configuration response-trust_mark_issuers-type,TA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_mark_issuers parameter is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.",TA,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_mark_issuers"": {""type"": ""object"", ""additionalProperties"": {""type"": ""array""}}}, ""required"": [""trust_mark_issuers""]}",TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Listing endpoint response-exposed,Entity Listing endpoint response,Entity Listing endpoint response,Trigger Entity Listing endpoint response,"Compliant if the response contains a JSON list, not compliant otherwise",HTTP parameter type,Correct Input,Entity Listing endpoint response,Does the Entity expose the entity listing endpoint,"In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected",TA,,"Entity Listing response | body | \[\s*""[^""]*""(?:,\s*""[^""]*"")*\s*\]$",This test simply checks if the entity exposes the /.well-known/openid-federation endpoint and if it,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Entity Listing response +x,TA-Entity Statement response OP-constraints,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the constraints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the TA contain the constraints parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | constraints,The constraints parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro constraints +x,TA-Entity Statement response OP-exp,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the exp parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the TA contain the exp parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | exp,The exp parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-iat,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iat parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the TA contain the iat parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | iat,The iat parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-id_code-value,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_code claim is a JSON Object, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain a correct id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""id_code""]}",The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro id_code +x,TA-Entity Statement response OP-iss,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iss parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statement issued by the TA contain the iss parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | iss,The iss parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-jwks,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the TA contain the jwks parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | jwks,The jwks parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-metadata_policy,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the metadata_policy parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the TA contain the metadata_policy parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy,The metadata_policy parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-metadata_policy-acr_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the acr_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.acr_values_supported | {""type"": ""object"", ""properties"": {""subset_of"":{}, ""superset_of"":{}},""required"":[""subset_of"", ""superset_of""]}",The acr_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-acr_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the acr_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.acr_values_supported.subset_of | [""https://www.spid.gov.it/SpidL1"", ""https://www.spid.gov.it/SpidL2"", ""https://www.spid.gov.it/SpidL3""]",The acr_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-authorization_response_iss_parameter_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the authorization_response_iss_parameter_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.authorization_response_iss_parameter_supported,The authorization_response_iss_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-authorization_response_iss_parameter_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the authorization_response_iss_parameter_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value,The authorization_response_iss_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto +,TA-Entity Statement response OP-metadata_policy-authorization_response_iss_parameter_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the authorization_response_iss_parameter_supported parameter is present in the openid_provider type and contains the value 'one_of': ['true'], not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.authorization_response_iss_parameter_supported | {""type"": ""object"", ""properties"": {""value"": {""const"": true}}, ""required"": [""value""]}",The authorization_response_iss_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-claims_parameter_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims_parameter_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.claims_parameter_supported,The claims_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-claims_parameter_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims_parameter_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.claims_parameter_supported.value,The claims_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-claims_parameter_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims_parameter_supported parameter is present in the openid_provider type and contains the value 'one_of': ['true'], not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.claims_parameter_supported | {""type"": ""object"", ""properties"": {""value"": {""const"": true}}, ""required"": [""value""]}",The claims_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-client_registration_types_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the client_registration_types_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.client_registration_types_supported.subset_of,The client_registration_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-client_registration_types_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the client_registration_types_supported parameter is present in the openid_provider type and contains the key 'one_of' not compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.client_registration_types_supported.subset_of,The client_registration_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-client_registration_types_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the client_registration_types_supported parameter is present in the openid_provider type and contains the value 'one_of': ['automatic'], not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.client_registration_types_supported | {""type"": ""object"", ""properties"": {""subset_of"": {""const"": ""automatic""}}, ""required"": [""subset_of""]}",The client_registration_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-code_challenge_methods_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the code_challenge_methods_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.code_challenge_methods_supported.subset_of,The code_challenge_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-code_challenge_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the code_challenge_methods_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['S256'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.code_challenge_methods_supported.subset_of | [""S256""]",The code_challenge_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-grant_types_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the grant_types_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.grant_types_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The grant_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-grant_types_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the grant_types_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['refresh_token', 'authorization_code'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.grant_types_supported.subset_of | [""refresh_token"", ""authorization_code""]",The grant_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-id_token_encryption_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_encryption_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The id_token_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +,TA-Entity Statement response OP-metadata_policy-id_token_encryption_enc_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_enc_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_encryption_enc_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The id_token_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-id_token_encryption_enc_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_enc_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of | [""A128CBC-HS256"", ""A256CBC-HS512""]",The id_token_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-id_token_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_signing_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_signing_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The id_token_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,message type - validate | {head/body/url} | jwt_name | {header/payload} | param_path,,,,,,,TRUE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +,OP-Authentication request-url-wrong-client_id,Authentication request URL,,,HTTP 302 error because of 'invalid_request',,Wrong Input,Authentication request,T1_a,The authentication request is intercepted and the 'client_id' field in the URL is edited to be a wrong value. The request is then forwarded and the result is an incorrect flow,OP,,,,External: T1_a (MIG),OIDC Core,active,,,,,,T1_a,,,client_id in URL is optional (should),TRUE,x,,,,,,,,, +,OP-Authentication request-url-missing-client_id,Authentication request URL,,,HTTP 400 error because of 'unauthorized_client',,Wrong Input,Authentication request,T1_b,"The authentication request is intercepted and the 'client_id' field is removed. After forwarding the request, the expected output is an incorrect flow",OP,,,,External: T1_b (MIG),OIDC Core,active,,,,,,T1_b,,,client_id in URL is optional (should),TRUE,x,,,,,,,,, +,OP-Authentication request-url-wrong-response_type,Authentication request URL,,,HTTP 400 error because of 'unsupported_response_type',,Wrong Input,Authentication request,T1_c,The authentication request is intercepted and the 'response_type' field in the URL is edited to be a wrong value. The request is then forwarded and the result is an incorrect flow,OP,,,,External: T1_c (MIG),OIDC Core,active,,,,"Auth request, no correct response_type","Auth request, no correct response_type",T1_c,,,response_type in URL is said should,FALSE,x,,,,,,,,, +,OP-Authentication request-url-missing-response_type,Authentication request URL,,,HTTP 400 error because of 'unsupported_response_type',,Wrong Input,Authentication request,T1_d,"The authentication request is intercepted and the 'response_type' field is removed from the URL. After forwarding the request, the expected output is an incorrect flow",OP,,,,External: T1_d (MIG),OIDC Core,active,,,,,,T1_d,,,response_type in URL is said should,TRUE,x,,,,,,,,, +,OP-Authentication request-token-replay,Authentication request JWT,,,HTTP 400 error because of 'invalid_grant',,Wrong Input,Authentication request,T7_a,"The authentication request in a first session is intercepted and the token present in the request parameter is saved. After forwarding and completing the first session, a second authentication request is initialized and the token saved previously is used in this second session. This results in an incorrect second flow.",OP,,,,External: T7_a (MIG),OIDC Core,active,,,Are replayed JWT's detected (IsJwtReplayDetected),,,T7_a,,,Nothing about this is said in the specification,TRUE,x,,,,,,,,, +,OP-Authentication request-code-length,Authorization code from authorization request,,,String asserting whether the code is valid or not,,Correct Input,Authentication request,Is the authorization code grant supported (CodeFlowSupported),"The OP takes the authorization code from the request and checks the length of the Code, assuring that it is of at least 128 bits. Moreover the entropy of the code is checked. If the code is not long enough or it cannot be retrieved (e.g., is null), an error is returned.",OP,,,,External: OAuch,OIDC Core,passive,,,Is the authorization code grant supported (CodeFlowSupported),Support code response_type,,,,,"OAuch has not the source code, thus I cannot understand what it does. Regarding the Conformance profile, the test checks the code length and entropy. Nothing about code length or entropy is said in the specification",TRUE,x,,,,,,,,, +,OP-Authentication request-no-bearer,Authentication response,,,HTTP 302 because of access_denied,,Wrong Input,Authentication request,Are authentication parameters in the URI allowed (IsAuthInUriAllowed),"This test firstly checks if there is a flow needing the authentication via a client secret. Once found, it removes the 'Authorization' field in the header of the request and adds the 'client_id' and 'client_secret' values in the request parameters. If the request is accepted, then the server accepts an authentication via parameters in the URI and is not compliant with the specifications.",OP,,,,External: OAuch,OIDC Core,active,,,Are authentication parameters in the URI allowed (IsAuthInUriAllowed),,,,,,Nothing about this in the specification. I think this is implicit due to the fact that the implicit flow should not be supported and that the request must have the JWT. Maybe can be said more clearly,TRUE,x,,,,,,,,, +,OP-Authentication request-fragment,Authorization endpoint URL,,,"Compliant if the URL has not a fragment, not compliant otherwise",,Correct Input,Authentication request,Does the authorization URL have a fragment (HasFragment),"This analyzes the URL of the authorization endpoint and checks if there is a fragment (#). If there a # is present, then there is a fragment and the server is not compliant with the specifications, otherwise the specifications are well-implemented.",OP,,,,External: OAuch,OIDC Core,passive,,,Does the authorization URL have a fragment (HasFragment),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Authentication response-referrer,Referrer policy of the authorization response,,,"Compliant if all the referers are legit, not compliant otherwise",,Correct Input,Authentication response,Does the server suppress the referrer (ReferrerPolicyEnforced),"This test takes the Referrer policy present in the headers and/or in the metadata of the authorization response and checks that every referer is a proper one. If a referer is not valid or if there are not referers (and thus there is not a proper referrer policy), then the specifications are not fully implemented. ",OP,,,,External: OAuch,OIDC Core,passive,,,Does the server suppress the referrer (ReferrerPolicyEnforced),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Authentication request-same-parameter-twice,Authorization response to a request with duplicated parameter,,,"Compliant if the response has not a token, not compliant if it has",,Wrong Input,Authentication request,Does the authorization server allow multiple instances of the same parameter (SameParameterTwiceDisallowed),"This test creates a request with a duplicated parameter and sends it. If the response contains the token, than the authorization server ignored the duplicated parameter and didn't implemented the specifications properly.",OP,,,,External: OAuch,OIDC Core,active,,,Does the authorization server allow multiple instances of the same parameter (SameParameterTwiceDisallowed),,,,,,"Nothing about this in the specification. Did not understand why they wait for a token if it is an authentication request +",TRUE,x,,,,,,,,, +,OP-Authentication request-unrecognized-parameter,Authorization response to a request with additional arbitrary parameter,,,"Compliant if the response has not a token, not compliant if it has",,Correct Input,Authentication request,Does the authorization server ignore unrecognized parameters (UnrecognizedParameterAllowed),"Create a request, add an arbitrary parameter and send it. If the server ignores the additional parameter and responds with the token, then it implements the specifications properly, otherwise it does not.",OP,,,,External: OAuch,OIDC Core,active,,,Does the authorization server ignore unrecognized parameters (UnrecognizedParameterAllowed),Ignores not understood query parameter in authentication request,,,,,Nothing about this in the specification. Did not understand why they wait for a token if it is an authentication request,TRUE,x,,,,,,,,, +,OP-Authentication request-missing-sub,Authorization response to a request with a JWT without the sub claim,,,Refuse client authorization: HTTP 400 error because of 'invalid_grant',,Wrong Input,Authentication request,Is JWT subject checked (HasSubjectClaim),A request with a JWT token without the sub claim is created and sent. The server should reject the request.,OP,,,,External: OAuch,OIDC Core,active,,,Is JWT subject checked (HasSubjectClaim),,,,,,The sub parameter in the authentication request is no more required,TRUE,x,,,,,,,,, +,OP-Authentication request-support-ui_locales,Authentication response,,,"Compliant if the Authentication page is showed with the proper language, not compliant otherwise",,Correct Input,Authentication request,Support ui_locales request parameter,"This test includes the ui_locales parameter in the request to the authorization endpoint, with the value set to that provided in the configuration (or 'se' if no value probably). Use of this parameter in the request must not cause an error at the OP. Please remove any cookies you may have received from the OpenID Provider before proceeding. You need to do this so you can check that the login page is displayed using one of the requested locales.",OP,,,,External: Reference OpenID Connect Conformance Profiles v3.0,OIDC Core,active,,,,Support ui_locales request parameter,,,,,It is an optional parameter right now. Cannot find the source code,TRUE,x,,,,,,,,, +,OP-Authentication request-wrong-ui_locales,"Authentication response to a request with a wrong ""ui_locales"" field",,,HTTP 302 error code because of invalid_request,,Wrong Input,Authentication request,"Auth request, no correct UI_locales",The authentication request is created and sent with a wrong 'ui_locales' field.,OP,,,,External: Reference spid-cie-oidc-django unit test,OIDC Core,active,,,,,"Auth request, no correct UI_locales",,,,"In the spec it is optional, so we did not consider it as a requirement for an OP to be compliant",TRUE,x,,,,,,,,, +,OP-Authentication response-header-pragma,Authorization response,,,"Compliant if the response has the pragma header, not compliant otherwise",,Correct Input,Authentication response,Is pragma header present (HasPragmaHeader),This test determines whether Pragma header is present in authorization endpoint responses,OP,,,,External: OAuch,OIDC Core,passive,,,Is pragma header present (HasPragmaHeader),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Authentication response-csp,Authorization page,,,"Compliant if it has a Content Security Policy, not compliant otherwise",,Correct Input,Authentication response,Authorization page has Content Security Policy (HasContentSecurityPolicy),This test determines whether the authorization endpoint uses a content security policy to avoid framing of the authorization page.,OP,,,,External: OAuch,OIDC Core,passive,,,Authorization page has Content Security Policy (HasContentSecurityPolicy),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Authentication response-header-x-frame,Authorization page,,,"Compliant if it has a X-Frame-Options header, not compliant otherwise",,Correct Input,Authentication response,Authorization page has X-Frame-Options header (HasFrameOptions),This test determines whether the authorization endpoint uses the X-Frame-Options header to avoid framing of the authorization page.,OP,,,,External: OAuch,OIDC Core,passive,,,Authorization page has X-Frame-Options header (HasFrameOptions),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Authentication response-header-cache_control,Authorization response,,,"Compliant if it has a Cache-Control header, not compliant otherwise",,Correct Input,Authentication response,Is cache control header present (HasCacheControlHeader),This test determines whether Cache-Control header is present in authorization endpoint responses,OP,,,,External: OAuch,OIDC Core,passive,,,Is cache control header present (HasCacheControlHeader),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Authentication request-pkce-downgrade,Authorization response to a request without the code_challenge and the code_challenge_method parameters,,,"Compliant if the response does not have a token inside, not compliant otherwise",,Correct Input,Authentication request,Is PKCE downgrade detected (authorization request) (IsPkceDowngradeDetected),"Attackers can downgrade PKCE protection without the server noticing. The server should disallow authorization code exchanges where a code_verifier is presented, if there was no code_challenge present in the authorization request.",OP,,,,External: OAuch,OIDC Core,active,,,Is PKCE downgrade detected (authorization request) (IsPkceDowngradeDetected),,,,,,"This type of attack is accomplished via a MITM, where the attacker acts like the OP and tries to downgrade to the plain PKCE, thus making the RP send the code_verifier. In the specification there is not written that plain PKCE is not supported, maybe it could be made more clear also specifying that the RP must not try to use plain PKCE an refuses requests where is asked to downgrade. Did not understand why they wait for a token if it is an authentication request +",TRUE,x,,,,,,,,, +,OP-Authentication request-tls,Authorization uri,,,"Compliant if it supports a modern version of TLS, not compliant otherwise",,Correct Input,Authentication request,Does the authorization server support a modern version of TLS (IsModernTlsSupported),This test determines whether the authorization server supports modern versions of the TLS protocol (v1.2 and higher).,OP,,,,External: OAuch,OIDC Core,passive,,,Does the authorization server support a modern version of TLS (IsModernTlsSupported),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Authentication request-post-authentication,Authentication response to a request made with HTTP POST,,,"Compliant if the response does not have a token inside, not compliant otherwise",,Correct Input,Authentication request,Does the server support POST authentication requests (SupportsPostAuthorizationRequests),This test checks whether the authorization server supports sending authentication parameters via a POST request.,OP,,,,External: OAuch,OIDC Core,active,,,Does the server support POST authentication requests (SupportsPostAuthorizationRequests),,,,,,"Did not inserted because it seems that the serialization method used is query string, whereas the one that the specification requires is form serialization. Did not understand why they wait for a token if it is an authentication request",TRUE,x,,,,,,,,, +,OP-Authentication request-query-component-in-redirect,Authentication response,,,"Compliant if the response is successful, not compliant otherwise",,Correct Input,Authentication request,Preserves query parameter in redirect_uri,This test uses a redirect uri with a query component. Authorization should complete successfully.,OP,,,,External: Reference OpenID Connect Conformance Profiles v3.0,OIDC Core,active,,,,Preserves query parameter in redirect_uri,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Authentication response-iss,Authentication response to a request with a wrong iss parameter,,,HTTP 302 error code because of invalid_request,,Correct Input,Authentication response,Authentication Response: iss parameter compliance,iss parameter must be https://login.interno.gov.it/,OP,,,,External: MIG,OIDC Core,passive,,,,,,P2_e,,,The value of iss must no more be the one described the one described,TRUE,x,,,,,,,,, +,OP-Authentication response-code-timeout,Authentication response to a delayed request,,,"Compliant if the response does not have the token, not compliant otherwise",,Correct Input,Authentication response,Do authorization codes have a short timeout (AuthorizationCodeTimeout),This test checks if authorization codes time out after at most 10 minutes.,OP,,,,External: OAuch,OIDC Core,active,,,Do authorization codes have a short timeout (AuthorizationCodeTimeout),,,,,,"Nothing is said in the specification about the timeout time of the codes. Did not understand why they wait for a token if it is an authentication request +",TRUE,x,,,,,,,,, +,OP-Token request-short-code_verifier,Token response to a request with a short code verifier,,,"Compliant if the response does not have the token, not compliant otherwise",,Wrong Input,Token request,Are insecure code verifiers rejected (ShortVerifier),"try to edit code_verifier and put a value shorter than 32, note it still has to be valid",OP,,,,External: OAuch,OIDC Core,active,,,Are insecure code verifiers rejected (ShortVerifier),,,,,,Nothing is said about the length of the code verifier,TRUE,x,,,,,,,,, +,OP-Token request-asymmetric-authentication,Site settings,,,"Compliant if the server supports client authentication as private_key_jwt or certificates, not compliant otherwise",,Correct Input,Token request,Does the server support asymmetric client authentication (IsAsymmetricClientAuthenticationUsed),"This test determines whether the server supports asymmetric client authentication, such as mTLS or 'private_key_jwt'.",OP,,,,External: OAuch,OIDC Core,active,,,Does the server support asymmetric client authentication (IsAsymmetricClientAuthenticationUsed),,,,,,"Not clear how it works, in CIE the type of authentication is private_key_jwt, but in this test is not clear how this is checked",TRUE,x,,,,,,,,, +,OP-Token request-basic-authentication,Token response to a request without authentication,,,"Compliant if the token received is not valid, not compliant otherwise",,Correct Input,Token request,Is basic authentication supported (IsBasicAuthenticationSupported),This test verifies whether the token endpoint supports the basic authentication scheme (or a more secure authentication scheme) for clients that were issues a password.,OP,,,,External: OAuch,OIDC Core,active,,,Is basic authentication supported (IsBasicAuthenticationSupported),,,,,,"Did not proprerly understand what it does. For what I could, it tests if client secrets are used and this is not for our interest",TRUE,x,,,,,,,,, +,OP-Token request-require-client-authentication,Token response to a request without client id and client secret,,,"Compliant if the response does not contain a token, not compliant otherwise",,Wrong Input,Token request,Is client authentication required (IsClientAuthenticationRequired),Try to not authenticate as the client to the token endpoint,OP,,,,External: OAuch,OIDC Core,active,,,Is client authentication required (IsClientAuthenticationRequired),,,,,,"Is tried to remove the client id and secret, in CIE authentication is performed via JWT",TRUE,x,,,,,,,,, +,OP-Token request-get-requests,Token response to a request made with HTTP GET,,,"Compliant if the response does not contain a token, not compliant otherwise",,Correct Input,Token request,Does the token server support GET requests (IsGetSupported),This test checks if the token server supports GET requests.,OP,,,,External: OAuch,OIDC Core,active,,,Does the token server support GET requests (IsGetSupported),,,,,,In the specification is not specified which type of request the token endpoint accepts (even though examples show a POST request). A similar test is created for the authorization endpoint,TRUE,x,,,,,,,,, +,OP-Token request-require-https,Token response to a request made to the URI with http scheme,,,"Compliant if the response does not contain a token, not compliant otherwise",,Wrong Input,Token request,Is HTTPS required at the token endpoint (IsHttpsRequired),This test checks whether the token endpoint enforces HTTPS connections,OP,,,,External: OAuch,OIDC Core,active,,,Is HTTPS required at the token endpoint (IsHttpsRequired),,,,,,I think it is trivial but in the specification I did not find that HTTPS is required. For this reason I did not create a test,TRUE,x,,,,,,,,, +,OP-Token request-tls,Site settings,,,"Compliant if the token server supports modern versions of TLS, not compliant otherwise",,Correct Input,Token request,Does the token server support a modern version of TLS (IsModernTlsSupported),This test determines whether the token server supports modern versions of the TLS protocol (v1.2 and higher).,OP,,,,External: OAuch,OIDC Core,active,,,Does the token server support a modern version of TLS (IsModernTlsSupported),,,,,,I think it is trivial but in the specification I did not find that the most updated TLS (and thus HTTPS) is required. For this reason I did not create a test. Moreover I did not properly understand how the test works,TRUE,x,,,,,,,,, +,OP-Token request-password-disabled,Token request,,,"Compliant if the server does not support the password flow (grant_type set to password), not compliant otherwise",,Wrong Input,Token request,Is the password flow disabled (IsPasswordFlowDisabled),Check that the password flow is disabled ,OP,,,,External: OAuch,OIDC Core,active,,,Is the password flow disabled (IsPasswordFlowDisabled),,,,,,In the specification the authorization code flow is used but nothing is said about this type of flow. It is true that if an entity uses the password flow it is not compliant but it would fail all the other tests anyway. I think this is trivial. Moreover I did not properly understand how the test works,TRUE,x,,,,,,,,, +,OP-Token request-refresh-authentication,Token response to a request with a refresh token and without client id and client secret (as authentication),,,"Compliant if the response does not have a token, not compliant otherwise",,Wrong Input,Token request,Is refresh authentication required (IsRefreshAuthenticationRequired),Check to not authenticate when asking a token with a refresh token,OP,,,,External: OAuch,OIDC Core,active,,,Is refresh authentication required (IsRefreshAuthenticationRequired),,,,,,"It tries to remove client id and secret and make a request, we do not care about this test because the required authentication method is the signed JWT",TRUE,x,,,,,,,,, +,OP-Token request-refresh_token-bound,Token response to a request with a refresh token and with a wrong client id as authentication method,,,"Compliant if the response does not have a token, not compliant otherwise",,Wrong Input,Token request,Is the refresh token bound to a client (IsRefreshBoundToClient),Try to use the refresh token with another client,OP,,,,External: OAuch,OIDC Core,active,,,Is the refresh token bound to a client (IsRefreshBoundToClient),,,,,,"This test seems to try to use the refresh token with another client, and see if an access token is sent back. In the specification I did not really find something that says to not do this. Must the OP check the client when exchanging a refresh token?",TRUE,x,,,,,,,,, +,OP-Token request-use-code-twice,Token response to a request containing a code already exchanged,,,"Compliant if the response does not have a token, not compliant otherwise",,Wrong Input,Token request,Can codes be exchanged multiple times (MultipleCodeExchanges),Try to use authorization code twice,OP,,,,External: OAuch,OIDC Core,active,,,Can codes be exchanged multiple times (MultipleCodeExchanges),Reject second use of authorization code,,,,,Nothing about invalidating the authorization code is said in the specification,TRUE,x,,,,,,,,, +,OP-Token request-check-redirect_uri,Token response to a request with a wrong redirect uri,,,"Compliant if the response does not have a token, not compliant otherwise",,Wrong Input,Token request,Is the redirect URI checked when exchanging a code (RedirectUriChecked),"Try to use a not registered redirect uri, try to set it differently from the authorization request",OP,,,,External: OAuch,OIDC Core,active,,,Is the redirect URI checked when exchanging a code (RedirectUriChecked),,,,,,"In CIE/SPID the redirect uri must be checked when asking for a code, not when exchanging it",TRUE,x,,,,,,,,, +,OP-Token request-parameter-twice,Token response to a request with a parameter duplicated,,,"Compliant if the response does not have a token, not compliant otherwise",,Wrong Input,Token request,Does the token endpoint allow multiple instances of the same parameter (SameParameterTwiceDisallowed),Try to put a parameter twice in the token request,OP,,,,External: OAuch,OIDC Core,active,,,Does the token endpoint allow multiple instances of the same parameter (SameParameterTwiceDisallowed),,,,,,Nothing about this is said in the specification,TRUE,x,,,,,,,,, +,OP-Token request-tokens-invalidated-after-multiple-exchange,Introspection response to a request containing an access token whose code was exchanged twise,,,"Compliant if the response says that the token is not valid, not compliant otherwise",,Wrong Input,Token request,Are tokens invalidated after exchanging the same code multiple times (TokenValidAfterMultiExchange),"Get a token, assure it works, try to exchange same code again, see if the token still works",OP,,,,External: OAuch,OIDC Core,active,,,Are tokens invalidated after exchanging the same code multiple times (TokenValidAfterMultiExchange),Second use of Authorization code revokes previously issued Access Token,,,,,Nothing about this is said in the specification,TRUE,x,,,,,,,,, +,OP-Token request-ignore-unrecognized-parameter,Token response to a request with unkown parameters,,,"Compliant if the response does not have a token, not compliant otherwise",,Wrong Input,Token request,Does the token endpoint ignore unrecognized parameters (UnrecognizedParameterAllowed),Try to add invalid parameters,OP,,,,External: OAuch,OIDC Core,active,,,Does the token endpoint ignore unrecognized parameters (UnrecognizedParameterAllowed),,,,,,Nothing about this is said in the specification,TRUE,x,,,,,,,,, +,OP-Token request-pkce-downgrade,Authorization response to a request without the code_challenge and the code_challenge_method parameters,,,"Compliant if the response does not have a token inside, not compliant otherwise",,Wrong Input,Token request,Is PKCE downgrade detected (token request) (IsPkcePlainDowngradeDetected),"Attackers can downgrade PKCE protection without the server noticing. The authorization request used S256 PKCE, but an attacker can downgrade this to plain PKCE by modifying the token request.",OP,,,,External: OAuch,OIDC Core,active,,,Is PKCE downgrade detected (token request) (IsPkcePlainDowngradeDetected),,,,,,"This type of attack is accomplished via a MITM, where the attacker acts like the OP and tries to downgrade to the plain PKCE, thus making the RP send the code_verifier. In the specification there is not written that plain PKCE is not supported, maybe it could be made more clear also specifying that the RP must not try to use plain PKCE. Regarding the test, the code is not available",TRUE,x,,,,,,,,, +,OP-Token request-max_age,Two ID Tokens,,,"Compliant if the second ID token has an auth_time parameter and the user is asked to log in again, not compliant otherwise",,Wrong Input,Token request,Support max_age request parameter,"This test calls the authorization endpoint test twice. The second time it waits 1 second and includes max_age=1, so that the authorization server is required to ask the user to login a second time and must return an auth_time claim in the second id_token. A screenshot of the second authorization should be uploaded.",OP,,,,External: OpenID Connect Conformance Profile,OIDC Core,active,,,,"Support max_age request parameter, ID token has auth_time claim when max_age in request",,,,,Parameter not used in CIE,TRUE,x,,,,,,,,, +,OP-Token request-max_age-not-reached,Two ID Tokens,,,"Compliant if the second ID token has an auth_time parameter and the user is not asked to log in again, not compliant otherwise",,Wrong Input,Token request,Support max_age request parameter when max age not reached,"This test calls the authorization endpoint test twice. The first time it includes max_age=15000 (so that the OP is required to return auth_time in the id_token). The second time it includes max_age=10000, and the authorization server must not request that the user logs in. The test verifies that auth_time and sub are consistent between the id_tokens from the first and second authorizations.",OP,,,,External: OpenID Connect Conformance Profile,OIDC Core,active,,,,Support max_age request parameter when max age not reached,,,,,Parameter not used in CIE,TRUE,x,,,,,,,,, +,OP-Token request-reject-code-second-use,Token response to a request with an already used code,,,"Compliant if the server returns an error and invalidate the previously-issued access token, not compliant otherwise",/ todo 0809,Wrong Input,Token request,Reject second use of authorization code after 30 seconds,"This test tries using an authorization code for a second time, 30 seconds after the first use. The server must return an invalid_grant error as the authorization code has already been used. The originally issued access token should be revoked (as per RFC6749-4.1.2) - a warning is issued if the access token still works.",OP,,,,External: OpenID Connect Conformance Profile,OIDC Core,active,,,,Reject second use of authorization code after 30 seconds,,,,,Nothing about this is said in the specification,TRUE,x,,,,,,,,, +,OP-Token response-correct-content_type,Token response,,,"Compliant if the content-type header is application/json, not compliant otherwise",,Correct Input,Token response,response MUST have Content-Type 'application/json',This test takes the token response header and checks the Content-type,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.2.0,In the example of the token response the content type is the same but it is not said to be mandatory or necessary,TRUE,x,,,,,,,,, +,OP-Token response-header-correct-cache_control,Token response,,,"Compliant if the cache-control header is no-store, not compliant otherwise",,Correct Input,Token response,response MUST have HTTP response header Cache-Control with value 'no-store',This test takes the token response header and checks the Cache-control,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.2.2,Nothing about this is said in the specification,TRUE,x,,,,,,,,, +,OP-Token response-header-correct-pragma,Token response,,,"Compliant if the pragma header is no-cache, not compliant otherwise",,Correct Input,Token response,response MUST have HTTP response header Pragma with value 'no-cache',This test takes the token response header and checks the pragma,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.2.3,Nothing about this is said in the specification,TRUE,x,,,,,,,,, +,OP-Token response-correct-expires_in,Token response,,,"Compliant if the expires_in parameter is less or equal to 900, not compliant otherwise",,Correct Input,Token response,the value of expires_in MUST be <= 900,This test takes the token response and checks the presence of the expires_in parameter in the data,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.2.13,parameter not correct (exp). expiration time in specification is not clear,TRUE,x,,,,,,,,, +,OP-Token response-id-token-payload-correct-acr,ID token in the token response,,,"Compliant if the acr parameter is present and contains only values among ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3'], not compliant otherwise",,Correct Input,Token response,"ID Token Payload: the value of acr MUST be one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']","This test takes the ID token in the token response, decrypt it and checks the presence of the acr values",OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.3.10,The values are no more defined like that,TRUE,x,,,,,,,,, +,OP-Token response-id_token-payload-exp-authorization_code,ID token in the token response,,,"Compliant if the ID token payload contains the grant_type claim set to 'authorization_code', the iat claim and the exp claim is set to iat + 5 min. Not compliant otherwise",,Correct Input,Token response,"ID Token Payload: if grant_type was 'authorization_code', the value of exp MUST be = iat + 5min","This test takes the ID token in the token response, decrypt it and checks the presence of the grant_type, iat and exp claims",OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.3.21,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Token response-id_token-payload-exp-refresh_token,ID token in the token response,,,"Compliant if the ID token payload contains the grant_type claim set to 'refresh_token', the iat claim and the exp claim is set to iat + 30 days. Not compliant otherwise",,Correct Input,Token response,"ID Token Payload: if grant_type was 'refresh_token', the value of exp MUST be = iat + 30 days - (iat of original authentication)","This test takes the ID token in the token response, decrypt it and checks the presence of the grant_type, iat and exp claims",OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.3.22,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Token response-access_token-payload-exp-time,Access token in the token response,,,Compliant if the Access token payload contains the iat claim and the exp claim is set to iat + 15 min. Not compliant otherwise,,Correct Input,Token response,Access Token Payload: the value of exp MUST be = iat + 15min,"This test takes the Access token in the token response, decrypt it and checks the presence of the iat and exp claims",OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,3.4.13,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Token response-key-references,ID Token in the token response,,,"Not compliant if the ID token contains one parameter among { 'x5u', 'x5c', 'jku', 'jwk' }, compliant otherwise",,Correct Input,Token response,Are references to keys communicated using discovery and registration parameters (KeyReferences),"This test determines whether the identity token uses keys that are communicated in advance using Discovery and Registration parameters, instead of the JWS x5u, x5c, jku and jwk header claims.",OP,,,,External: OAuch,OIDC Core,passive,,,Are references to keys communicated using discovery and registration parameters (KeyReferences),,,,,,"This tests check discovery for the keys, in the CIE case the key exchange is a matter of federation. This is not a useful test",TRUE,x,,,,,,,,, +x,TA-Entity Statement response OP-metadata_policy-id_token_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The id_token_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,message type - validate | {head/body/url} | jwt_name | {header/payload} | param_path | param_value1 | param_value2 | ...,,,,,,,TRUE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +,OP-Metadata-claims-spid,metadata,,,"Compliant if the claim claim in the metadata contains all the spid attributes, not compliant otherwise",,Correct Input,Metadata,claims supported should be all the spid attributes,"If present, the value of claims_supported MUST be all the SPID attributes (see table of SPID attributes for OIDC)",OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.4.8,Claim no more used,TRUE,x,,,,,,,,, +,OP-Metadata-valid-url,Metadata URL,,,"Compliant if the metadata are on a valid URL, not compliant otherwise",,Correct Input,Metadata,1.0.0,Metadata file MUST be on a valid URL of the OP,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.0.0,It is trivial but there is not written to use HTTPS,TRUE,x,,,,,,,,, +,OP-Metadata-correct-url,Metadata URL,,,"Compliant if the metadata are on a URL composed like /.well-known/openid-configuration, not compliant otherwise",,Correct Input,Metadata,1.1.0,Document URL MUST be /.well-known/openid-configuration,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.1.0,Metadata in the CIE federation are published in the .well-known/openid-federation,TRUE,x,,,,,,,,, +,OP-Metadata-correct-content_type,Response to a metadata request,,,"Compliant if the header 'Content-Type' is set to application/json, not compliant otherwise",,Correct Input,Metadata,1.1.3,The document MUST be returned as Content-Type application/json,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.1.3,"It is not specified but in the examples the content type is ""application/entity-statement+jwt""",TRUE,x,,,,,,,,, +,OP-Metadata-not-contain-request_object_encryption_alg_values_supported,OP's Metadata,,,"Compliant if the request_object_encryption_alg_values_supported parameter is not present, not compliant otherwise",,Correct Input,Metadata,1.3.23,The metadata must not contain the claim request_object_encryption_alg_values_supported,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.3.23,claim no more used. Test is changed recently. Nothing is said about the prohibition of this parameter,TRUE,x,,,,,,,,, +,OP-Metadata-not-contain-request_object_encryption_enc_values_supported,OP's Metadata,,,"Compliant if the request_object_encryption_enc_values_supported parameter is not present, not compliant otherwise",,Correct Input,Metadata,1.3.24,The metadata MUST NOT contain the claim request_object_encryption_enc_values_supported,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.3.24,claim no more used. Test is changed recently. Nothing is said about the prohibition of this parameter,TRUE,x,,,,,,,,, +,OP-Metadata-contain-request_parameter_supported,OP's Metadata,,,"Compliant if the request_parameter_supported parameter is present, not compliant otherwise",,Correct Input,Metadata,1.3.25,The metadata MUST contain the claim request_parameter_supported,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.3.25,claim no more used,TRUE,x,,,,,,,,, +,OP-Metadata-request_parameter_supported-true,OP's Metadata,,,"Compliant if the request_parameter_supported parameter is present and set to true, not compliant otherwise",,Correct Input,Metadata,1.3.26,The value of request_parameter_supported MUST be true,OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.3.26,claim no more used,TRUE,x,,,,,,,,, +,OP-Metadata-claims_parameter_supported-true,Metadata,,,"Compliant if the claims_parameter_supported claim is present and set to true, not compliant if it present but not set to true",,Correct Input,Metadata,1.4.10,"If present, the value of claims_parameter_supported MUST be true",OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.4.10,claim no more used,TRUE,x,,,,,,,,, +,OP-Metadata-token_endpoint_auth_methods_supported-private_key_jwt,Metadata,,,"Compliant if the token_endpoint_auth_methods_supported claim is present and contains the value private_key_jwt, not compliant if it present but does not contain the value private_key_jwt",,Correct Input,Metadata,1.4.5,"If present, the token_endpoint_auth_methods_supported MUST be ['private_key_jwt']",OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.4.5,claim no more used,TRUE,x,,,,,,,,, +,OP-Metadata-correct-request_object_encryption_alg_values_supported,Metadata,,,"Compliant if the request_object_encryption_alg_values_supported claim is present and set to ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it present but is set differently",,Correct Input,Metadata,1.5.7,"The request_object_encryption_alg_values_supported MUST be ['RSA-OAEP', 'RSA-OAEP-256']",OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.5.7,Claim no more used,TRUE,x,,,,,,,,, +,OP-Metadata-correct-request_object_encryption_enc_values_supported,Metadata,,,"Compliant if the request_object_encryption_enc_values_supported claim is present and set to ['A128CBC-HS256', 'A256CBC-HS512'], not compliant if it present but is set differently",,Correct Input,Metadata,1.5.8,"The request_object_encryption_enc_values_supported MUST be ['A128CBC-HS256', 'A256CBC-HS512']",OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.5.8,Claim no more used,TRUE,x,,,,,,,,, +,OP-Metadata-correct-token_endpoint_auth_signing_alg_values_supported,Metadata,,,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is present and set to ['RS256', 'RS512'], not compliant if it present but is set differently",,Correct Input,Metadata,1.5.9,"If present, the token_endpoint_auth_signing_alg_values_supported MUST be ['RS256', 'RS512']",OP,,,,External: spid-oidc-check-op,OIDC Core,Passive,,,,,,,,1.5.9,Claim no more used,TRUE,x,,,,,,,,, +x,TA-Entity Statement response OP-metadata_policy-incorrect-id_token_encryption_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_encryption_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of | [""RSA_1_5""]",The id_token_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-incorrect-id_token_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_token_signing_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The id_token_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-incorrect-request_authentication_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_signing_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not Compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The request_authentication_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-incorrect-userinfo_encryption_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of | [""RSA_1_5""]",The userinfo_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-incorrect-userinfo_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_signing_alg_values_supported parameter is present in the openid_provider type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512']",JWT list parameter does not contain,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The userinfo_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +,OP-Authentication request-require-https-authentication_request,HTTP response from the authorization endpoint,,,"Compliant if the server returns an HTTP error, not compliant otherwise",,Wrong Input,Authentication request,OP authentication requests use HTTPS,"This test is performed trying to make a request to the Authorization endpoint with http and not with https. If the endpoint refuses the connection, then the use of HTTPS is required and thus, the server respects the specification. If otherwise the request is accepted, it means that the server automatically upgrades to HTTPS and then it is not compliant with the specifications.",OP,,,,External: OAuch,OIDC Core,passive,,,Is HTTPS required at the authorization endpoint (IsHttpsRequired),All OP endpoints use https,,,,,It is trivial but in the specification is not specified for the authorization endpoint to have an HTTPS URL,TRUE,x,,,,,,,,, +,OP-Authentication request-require-https-revocation_request,HTTP response from the revocation endpoint,,,"Compliant if the server returns an HTTP error, not compliant otherwise",,Wrong Input,Authentication request,OP revocation requests use HTTPS,"This test is performed trying to make a request to the Revocation endpoint with http and not https. If the endpoint refuses the connection, then the use of HTTPS is required and thus, the server respects the specification. If otherwise the request is accepted, it means that the server automatically upgrades to HTTPS and then it is not compliant with the specifications.",OP,,,,External: OAuch,OIDC Core,passive,,,Is the revocation endpoint secure (IsRevocationEndpointSecure),Uses https for all endpoints unless only using code flow,,,,,It is trivial but in the specification is not specified for the revocation endpoint to have an HTTPS URL,TRUE,x,,,,,,,,, +,OP-Revocation request-require-client-authentication,Revocation response to revocation request without any authentication,,,"Compliant if the server rejects the request, not compliant otherwise",,Wrong Input,Revocation request,Does revocation require client authentication (IsClientAuthRequired),This test checks if the revocation endpoint requires client authentication.,OP,,,,External: OAuch,OIDC Core,active,,,Does revocation require client authentication (IsClientAuthRequired),,,,,,Cannot understand what they mean for authentication method,TRUE,x,,,,,,,,, +,OP-Revocation request-tls,Revocation Endpoint URI,,,"Compliant if newer TLS protocols are supported, not compliant otherwise",,Correct Input,Revocation request,Does the revocation endpoint support a modern version of TLS (IsModernTlsSupported),This test determines whether the revocation endpoint supports modern versions of the TLS protocol (v1.2 and higher).,OP,,,,External: OAuch,OIDC Core,passive,,,Does the revocation endpoint support a modern version of TLS (IsModernTlsSupported),,,,,,Not required in the specification. Did not understand how the test works,TRUE,x,,,,,,,,, +,OP-Userinfo request-form-encoded-body),Userinfo response to a POST request with the token in the body,,,"Compliant if the response is an HTTP 200 OK and thus the server accepts the token in the body, not compliant otherwise",,Correct Input,Userinfo request,Userinfo Endpoint access with form-encoded body method,"This tests makes an authenticated POST request to the UserInfo endpoint with the access token in the body and validates the response. Support for passing an access token in the request body is not required by the standards - if is acceptable for servers not to implement this form, and the test will complete with a 'warning' if the server returns a http error response.",OP,,,,External: OpenID Connect Conformance Profiles v3.0,OIDC Core,passive,,,,Userinfo Endpoint access with form-encoded body method,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Userinfo request-correct-request,Userinfo response,,,None,,Correct Input,Userinfo request,request correct,This test simply does a correct request to the userinfo endpoint without analyzing the response,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.0.0,This test simply does a correct request without analyzing the response. It is trivial and covered from other tests,TRUE,x,,,,,,,,, +,OP-Userinfo response-correct-signature-alg,Userinfo response,,,"Compliant if the userinfo response is signed with RS256, not compliant otherwise",,Correct Input,Userinfo response,Can provide signed userinfo response with RS256,This tests register a client with userinfo_signed_response_alg=RS256 and validates the signed response from the userinfo endpoint,OP,,,,External: OpenID Connect Conformance Profiles v3.0,OIDC Core,passive,,,,Can provide signed userinfo response with RS256,,,,4.4.0,alg parameter is no more used,TRUE,x,,,,,,,,, +,OP-Userinfo response-content-type,Userinfo response header,,,"Compliant if the Content-Type header is 'application/jwt', not compliant otherwise",,Correct Input,Userinfo response,4.2.0,response MUST have Content-Type 'application/jwt',OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.2.0,"Not specified in the specification (for CIE, not for SPID) but in the example the content type is ""application/jose""",TRUE,x,,,,,,,,, +,OP-Userinfo response-JWT-payload-valid-iat,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the iat claim in the payload and it is a valid unix time, not compliant otherwise",,Correct Input,Userinfo response,4.4.10,Userinfo Signed Token Payload: the value of iat MUST be a valid unix time,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.10,Parameter present in the example but not in the text,TRUE,x,,,,,,,,, +,OP-Userinfo response-JWT-payload-correct-iat,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the iat claim in the payload, it is a valid unix time and is less than the current time + 3 min, not compliant otherwise",,Correct Input,Userinfo response,4.4.11,Userinfo Signed Token Payload: the value of iat MUST be < current date + 3min,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.11,Parameter present in the example but not in the text,TRUE,x,,,,,,,,, +,OP-Userinfo response-JWT-payload-exp,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the exp claim in the payload, not compliant otherwise",,Correct Input,Userinfo response,4.4.12,Userinfo Signed Token Payload: claim exp MUST be present,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.12,Parameter present in the example but not in the text,TRUE,x,,,,,,,,, +,OP-Userinfo response-JWT-payload-valid-exp,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the exp claim in the payload and it is a valid unix time, not compliant otherwise",,Correct Input,Userinfo response,4.4.13,Userinfo Signed Token Payload: the value of exp MUST be a valid unix time,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.13,Parameter present in the example but not in the text,TRUE,x,,,,,,,,, +,OP-Userinfo response-JWT-header-kid,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the kid claim in the header, not compliant otherwise",,Correct Input,Userinfo response,4.4.2,Userinfo Signed Token Header: claim kid MUST be present,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.2,Claim present in the example but not in the text of the specification. We ignored it,TRUE,x,,,,,,,,, +,OP-Userinfo response-JWT-payload-correct-iss,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the iss claim in the payload and it is equal to the URL of the OP, not compliant otherwise",,Correct Input,Userinfo response,4.4.6,Userinfo Signed Token Payload: the value of iss MUST be equal to the URL of the OP,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.6,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-Userinfo response-JWT-payload-iat,Token returned in the Userinfo response,,,"Compliant if the decrypted token has the iat claim in the payload, not compliant otherwise",,Correct Input,Userinfo response,4.4.9,Userinfo Signed Token Payload: claim iat MUST be present,OP,,,,External: spid-oidc-check-op,OIDC Core,passive,,,,,,,,4.4.9,claim no more required,TRUE,x,,,,,,,,, +,OP-OP requests-support-old-tls,OAuth endpoints URI,,,"Compliant if none of them has in the supported protocols older versions of TLS, not compliant otherwise",,Wrong Input,OP requests,Are deprecated TLS versions supported on the OAuth endpoints (IsDeprecatedTlsSupported),This test determines whether the OAuth endpoints supports older versions of the TLS protocol (v1.0 and 1.1) or any version of the SSL protocol.,OP,,,,External: OAuch,OIDC Core,active,,,Are deprecated TLS versions supported on the OAuth endpoints (IsDeprecatedTlsSupported),,,,,,Nothing about this in the specification,TRUE,x,,,,,,,,, +,OP-OP requests-trusted-certificate,OAuth authorization URI,,,"Compliant if the URI has a valid certificate, not compliant otherwise",,Correct Input,OP requests,Trusted authorization certificate (HasValidCertificate),This test determines whether the certificate that is being used by the authorization server is widely trusted.,OP,,,,External: OAuch,OIDC Core,passive,,,Trusted authorization certificate (HasValidCertificate),,,,,,"Nothing about certificates in the specification, I think it is a test that does not concern properly the CIE ecosystem",TRUE,x,,,,,,,,, +,OP-OP responses-attach-fragment,Authentication response,,,"Compliant if the URI has a fragment attached and nothing after it, not compliant otherwise",,Correct Input,OP responses,Does the server attach a fragment (FragmentFix),This test checks whether the server attaches an arbitrary fragment identifier to prevent browsers from reattaching fragments to redirection URLs.,OP,,,,External: OAuch,OIDC Core,passive,,,Does the server attach a fragment (FragmentFix),,,,,,Nothing about fragments in the specification,TRUE,x,,,,,,,,, +,OP-OP responses-header-x-frame,Authentication response,,,"Compliant if the response has the X-Frame-Options header, not compliant otherwise",,Correct Input,OP responses,P3_a,All responses from the OP should contain X-Frame-Options header,OP,,,,External: MIG,OIDC Core,passive,,,,,,P3_a,,,Nothing about x-frame-options in the specification,TRUE,x,,,,,,,,, +,OP-OP responses-correct-redirect,Authentication response,,,"Compliant if the is not a 307 redirect, not compliant otherwise",,Correct Input,OP responses,P3_b,All responses from the OP should not have HTTP 307 code,OP,,,,External: MIG,OIDC Core,passive,,,,,,P3_b,,,Nothing about 307 redirect in the specification. This should be regulated by the last BCP of OAuth. It could be made more clear by specifying to avoid this kind of redirect,TRUE,x,,,,,,,,, +x,TA-Entity Statement response OP-metadata_policy-jwks,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain the jwks parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | jwks,The jwks claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-metadata_policy-request_authentication_methods_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_methods_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.request_authentication_methods_supported,The request_authentication_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,message type - validate | {head/body/url} | jwt_name | {header/payload} | param_path,,,,,,,TRUE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-request_authentication_methods_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_methods_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.request_authentication_methods_supported.value,The request_authentication_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-request_authentication_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_methods_supported parameter is present in the openid_provider type and the key 'one_of' is valued with ['request_object'], not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_authentication_methods_supported | {""type"": ""object"", ""properties"": {""value"": {""const"": ""request_object""}}, ""required"": [""value""]}",The request_authentication_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-request_authentication_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_signing_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.request_authentication_signing_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The request_authentication_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-request_authentication_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_authentication_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of | [""RS256"", ""RS512""]",The request_authentication_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +,TA-Entity Statement response OP-metadata_policy-request_object_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the request_object_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'superset_of' or 'subset_of',JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_parameter_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The request_object_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +,TA-Entity Statement response OP-metadata_policy-request_object_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the request_object_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'superset_of' or 'subset_of',JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_parameter_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]} [""RS256"", ""RS512""]",The request_object_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,Clarifying docs,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +o,TA-Entity Statement response OP-metadata_policy-request_parameter_supported,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_parameter_supported parameter is present in the openid_provider type, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain the request_parameter_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.request_parameter_supported,The request_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-request_parameter_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_parameter_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.request_parameter_supported.value,The request_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-request_parameter_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the request_parameter_supported parameter is present in the openid_provider type and contains the value 'one_of': ['true'], not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.request_parameter_supported | {""type"": ""object"", ""properties"": {""value"": {""const"": true}}, ""required"": [""value""]}",The request_parameter_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-response_modes_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_modes_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.response_modes_supported | {""type"": ""object"", ""properties"": {""subset_of"":{}, ""superset_of"":{}}, ""required"": [""subset_of"", ""superset_of""]}",The response_modes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-response_modes_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_modes_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['form_post', 'query'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.response_modes_supported.subset_of | [""form_post"", ""query""]",The response_modes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-response_types_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_types_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.response_types_supported.subset_of,The response_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-response_types_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the response_types_supported parameter is present in the openid_provider type and contains the value 'one_of': ['code'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.response_types_supported.subset_of | [""code""]",The response_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-revocation_endpoint_auth_methods_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the revocation_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of,The revocation_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-revocation_endpoint_auth_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the revocation_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the value 'one_of': ['private_key_jwt'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of | [""private_key_jwt""]",The revocation_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-scopes_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the scopes_supported parameter is present in the openid_provider typeand contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.scopes_supported | {""type"": ""object"", ""properties"": {""subset_of"":{}, ""superset_of"":{}}, ""required"": [""subset_of"", ""superset_of""]}",The scopes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-scopes_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the scopes_supported parameter is present in the openid_provider typeand contains the value 'subset_of': ['openid', 'offline_access', 'profile', 'email'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.scopes_supported.subset_of | [""openid"", ""offline_access"", ""profile"", ""email""]",The scopes_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-subject_types_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the subject_types_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.subject_types_supported.subset_of,The subject_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-subject_types_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the subject_types_supported parameter is present in the openid_provider type and contains the value 'one_of': ['pairwise'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.subject_types_supported.subset_of | [""pairwise""]",The subject_types_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_methods_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of,The token_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro. openid_provider รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_methods_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_methods_supported parameter is present in the openid_provider type and contains the value 'one_of': ['private_key_jwt'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of | [""private_key_jwt""]",The token_endpoint_auth_methods_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_signing_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The token_endpoint_auth_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-not-supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_signing_alg_values_supported parameter is present in the openid_provider type and not contains the values ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The token_endpoint_auth_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-token_endpoint_auth_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the token_endpoint_auth_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The token_endpoint_auth_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-userinfo_encryption_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_alg_values_supported parameter is presentin the openid_provider type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.userinfo_encryption_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The userinfo_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-userinfo_encryption_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_alg_values_supported parameter is presentin the openid_provider type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The userinfo_encryption_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-userinfo_encryption_enc_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_enc_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.userinfo_encryption_enc_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The userinfo_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-userinfo_encryption_enc_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_encryption_enc_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of | [""A128CBC-HS256"", ""A256CBC-HS512""]",The userinfo_encryption_enc_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-metadata_policy-userinfo_signing_alg_values_supported-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_signing_alg_values_supported parameter is present in the openid_provider type and contains the key 'subset_of', not compliant if is missing or empty",JWT parameter type,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | .metadata_policy.intermediary.userinfo_signing_alg_values_supported | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The userinfo_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro intermediary +x,TA-Entity Statement response OP-metadata_policy-userinfo_signing_alg_values_supported-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the userinfo_signing_alg_values_supported parameter is present in the openid_provider type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response OP,Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The userinfo_signing_alg_values_supported claim MUST be considered in the metadata parameter of type 'openid_provider' within the policy that the TA establishes for an OP,SPID_CIE_OIDC#TA-Metadata-Policy-for-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response OP-release,TA's fetch Entity Statement Endpoint response regarding the Entity we are considering,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the TA's return the Entity Statement regarding the Entity we are considering, not compliant otherwise",HTTP parameter type,Correct Input,Entity Statement response OP,Does the TA correctly release the Entity statements,"After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.",TA,,Entity Statement response TA OP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),The Federation Authority or an Intermediary MUST publish the Leaf Entity Statement containing the Federation public keys of the onboarded Entity and the TMs released for it.,SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-signature,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the signature is verified, not compliant otherwise",JWT signature check,Correct Input,Entity Statement response OP,Does the TA correctly sign the Entity statements,"In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header",TA,,Entity Statement response TA OP | body | [^\r\n]* | X_key_TA,Entity Statements must be signed,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Signature non corretta +x,TA-Entity Statement response OP-sub,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the sub parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the TA contain the sub parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | sub,The sub parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-trust_mark-claims,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain the claims claim,"In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | claims,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro claim +o,TA-Entity Statement response OP-trust_mark-claims-type,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the claims claim is a list of JSON Objects, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain a correct claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""claims"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""claims""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro claims +x,TA-Entity Statement response OP-trust_mark-email,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the email claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | email,The issued Trust Marks must have the email claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro email +,TA-Entity Statement response OP-trust_mark-email-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the email claim is of type string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain the correct type of the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"":""object"",""properties"":{""email"":{""type"":""string"",""format"":""email""}},""required "":[""email""]}",The issued Trust Marks must have the email claim as string,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No email +x,TA-Entity Statement response OP-trust_mark-exp,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the exp claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the exp claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | exp,The issued Trust Marks must have the exp claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro exp +x,TA-Entity Statement response OP-trust_mark-exp-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the exp claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain the exp type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""exp"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""exp""]}",The issued Trust Marks must have the exp claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No exp +x,TA-Entity Statement response OP-trust_mark-fiscal_number-or-vat_number,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the fiscal_number or vat_number claim,nested JWT parameter type,Correct Input,Entity Statement response OP,Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim,"In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""fiscal_number"": {}, ""vat_number"":{}},""anyOf"":[{""required"":[""fiscal_number""]},{""required"":[""vat_number""]}]}},""required"":[""id_code""]}",The vat_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the fiscal_number claim. The fiscal_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the vat_number claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,[ORA] Manca id_code +x,TA-Entity Statement response OP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iat claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the iat claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iat,The issued Trust Marks must have the iat claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response OP-trust_mark-iat-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iat type is in UNIX Timestamp in the trust mark payload, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain the correct iat type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""iat"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""iat""]}",The issued Trust Marks must have the iat claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,TA-Entity Statement response OP-trust_mark-id,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the id claim,"The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-trust_mark-id_code,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the id_code claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id_code,The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro id_code +x,TA-Entity Statement response OP-trust_mark-ipa_code,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim,nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | $.id_code.ipa_code,The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,[ORA] Manca id_code +x,TA-Entity Statement response OP-trust_mark-ipa_code-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the ipa_code in the id_code claim of a trust mark is a string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""ipa_code"": { ""type"":""string""}},""required"":[""ipa_code""]}},""required"":[""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,[ORA] Manca id_code +,TA-Entity Statement response OP-trust_mark-ipa_code-value,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim for public organizations,nested JWT parameter type,Correct Input,Entity Statement response OP,Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": { ""id_code"": { ""type"": ""object"", ""properties"": {""ipa_code"": {}},""required"": [""ipa_code""]}},""required"": [""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations.,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,[ORA] Manca id_code +,TA-Entity Statement response OP-trust_mark-iss,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iss claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-trust_mark-iss-value,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the iss claim is an URL identifying the TA, not compliant otherwise",nested JWT Check-Save to JWT,Correct Input,Entity Statement response OP,Does the Trust Mark contain a correct iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL",TA,Entity Configuration response TA | body | [^\r\n]* | payload | iss | valid_iss,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Active,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the logo_uri claim is present in the trust_mark JWT in the trust_marks parameter, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro logo_uri +x,TA-Entity Statement response OP-trust_mark-logo_uri-value,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the logo_uri parameter in the trust mark in the trust marks parameter of the response is an URI, not compliant otherwise ",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain a correct logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""logo_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""logo_uri""]}",The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro logo_uri +x,TA-Entity Statement response OP-trust_mark-organization_name,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the organization_name claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_name,The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro organization_name +x,TA-Entity Statement response OP-trust_mark-organization_name-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the organization_name claim is type string and has value ""public"" or ""private"", not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain the correct type of organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""organization_name "": { ""type "": ย ""string "", ""enum "": [ ""private "", ย ""public ""]}}, ""required "": [ ""organization_name ""]}",The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No organization_name +x,TA-Entity Statement response OP-trust_mark-organization_type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the organization_type claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_type,The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro organization_type +o,TA-Entity Statement response OP-trust_mark-organization_type-value,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the organization_type claim is 'public' or 'private', not compliant otherwise",JWT list values,Correct Input,Entity Statement response OP,Does the Trust Mark contain a correct organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark.organization_type | [""public"", ""private""]",The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro organization_type +x,TA-Entity Statement response OP-trust_mark-policy_uri,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the policy_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain the policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | policy_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro policy_uri +o,TA-Entity Statement response OP-trust_mark-policy_uri-type,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the policy_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain a correct policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""policy_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""policy_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro policy_uri +x,TA-Entity Statement response OP-trust_mark-ref,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the ref claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | ref,The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-trust_mark-ref-type,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the ref claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain an URL in the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""ref"": { ""type"": ""string"", ""format"": ""uri"" } }, ""required"": [""ref""] }",The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +o,TA-Entity Statement response OP-trust_mark-sa_profile-value,Trust Mark generated for an SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the sa_profile claim is 'full' or 'light', not compliant otherwise",nested JWT parameter values,Correct Input,Entity Statement response OP,Does the issued intermediary Trust Mark contain a correct sa_profile claim,"A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | sa_profile | [""light"", ""full""]","In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro sa_profile +x,TA-Entity Statement response OP-trust_mark-service_documentation,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the service_documentation claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain the service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | service_documentation,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro service_documentation +o,TA-Entity Statement response OP-trust_mark-service_documentation-type,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the service_documentation claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain a correct service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""service_documentation"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""service_documentation""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro service_documentation +o,TA-Entity Statement response OP-trust_mark-signature,Entity statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the signature is valid, not compliant otherwise",nested JWT signature check,Correct Input,Entity Statement response OP,Does the TA correctly sign the issued Trust Mark,"To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | X_key_TA,The Trust Marks (TM) are signed JWT,SPID_CIE_OIDC#Trust-Marks; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed, +x,TA-Entity Statement response OP-trust_mark-sub,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the sub claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the Trust Mark contain sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sub,The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-trust_mark-sub-value,Trust Mark generated by TA or SA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the sub claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the Trust Mark contain a correct sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""sub"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""sub""]}",The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response OP-trust_mark-tos_uri,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the tos_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain the tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | tos_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro tos_uri +o,TA-Entity Statement response OP-trust_mark-tos_uri-type,Trust Mark generated for an AA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the tos_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response OP,Does the issued oauth_resource Trust Mark contain a correct tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL",TA,,"Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""tos_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""tos_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro tos_uri +x,TA-Entity Statement response OP-trust_marks,Entity Statement issued by the TA,Entity Statement response TA OP,Trigger Entity Statement response TA OP,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response OP,Does Entity Statements issued by the TA contain the trust_marks parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked",TA,,Entity Statement response TA OP | body | [^\r\n]* | payload | trust_marks,The trust_marks parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-constraints,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the constraints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the TA contain the constraints parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | constraints,The constraints parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. constraints si trova in metadata_policy +,TA-Entity Statement response RP-exp,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the exp parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the TA contain the exp parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | exp,The exp parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-iat,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iat parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the TA contain the iat parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | iat,The iat parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-id_code-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_code claim is a JSON Object, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain a correct id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""id_code""]}",The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro id_code +x,TA-Entity Statement response RP-iss,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iss parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statement issued by the TA contain the iss parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | iss,The iss parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-jwks,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the jwks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the TA contain the jwks parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | jwks,The jwks parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-metadata_policy,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the metadata_policy parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the TA contain the metadata_policy parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy,The metadata_policy parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response RP-metadata_policy-client_registration_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the client_registration_types parameter is present in the openid_relying_party type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.client_registration_types.subset_of,The client_registration_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro client_registration_types +x,TA-Entity Statement response RP-metadata_policy-client_registration_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the client_registration_types parameter is present in the openid_relying_party type and contains the value 'one_of': ['automatic'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.client_registration_types.subset_of | [""automatic""]",The client_registration_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response RP-metadata_policy-grant_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the grant_types parameter inside the openid_relying_party type is present and it contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct grant_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | .metadata_policy.openid_relying_party.grant_types | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of"", ""superset_of""]}",The grant_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca superset_of +x,TA-Entity Statement response RP-metadata_policy-grant_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the grant_types parameter inside the openid_relying_party type is present and it contains the value 'subset_of: [authorization_code, refresh_token]', not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct grant_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.grant_types.subset_of | [""authorization_code"", ""refresh_token""]",The grant_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of,The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro id_token_encrypted_response_alg +x,TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_enc-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_enc parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of,The id_token_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro id_token_encrypted_response_enc +x,TA-Entity Statement response RP-metadata_policy-id_token_encrypted_response_enc-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_enc parameter is present in the openid_relying_party type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of | [""A128CBC-HS256"" , ""A256CBC-HS512""]",The id_token_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response RP-metadata_policy-id_token_signed_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_signed_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter JSON presence,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of,The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro id_token_signed_response_alg +x,TA-Entity Statement response RP-metadata_policy-id_token_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_signed_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of | [""RS256"" , ""RS512""]",The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response RP-metadata_policy-incorrect-id_token_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_token_encrypted_response_alg parameter is present in the openid_relying_party type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant if present",JWT list parameter does not contain,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of | [""RSA_1_5""]",The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. +x,TA-Entity Statement response RP-metadata_policy-incorrect-id_token_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the value of id_token_signed_response_alg parameter is present in the openid_relying_party type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not compliant if present",JWT list parameter does not contain,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. +x,TA-Entity Statement response RP-metadata_policy-incorrect-userinfo_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_alg parameter is present in the openid_relying_party type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of | [""RSA_1_5""]",The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. +x,TA-Entity Statement response RP-metadata_policy-incorrect-userinfo_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_signed_response_alg parameter is present in the openid_relying_party type and the key 'subset_of' does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro. +x,TA-Entity Statement response RP-metadata_policy-jwks,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the jwks parameter is present inside the openid_relying_party type of the metadata_policy, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain the jwks parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | jwks,The jwks claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-metadata_policy-response_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the response_types parameter is present in the openid_relying_party type and contains the key 'value', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct response_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.response_types.value,The response_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca response_types +,TA-Entity Statement response RP-metadata_policy-response_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the response_types parameter is present in the openid_relying_party type and contains the key 'value', not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct response_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.response_types.value | [""code""]",The response_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca response_types +x,TA-Entity Statement response RP-metadata_policy-token_endpoint_auth_method-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the token_endpoint_auth_method parameter is present in the openid_relying_party type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of,The token_endpoint_auth_method claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro token_endpoint_auth_method +x,TA-Entity Statement response RP-metadata_policy-token_endpoint_auth_method-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the token_endpoint_auth_method parameter is present in the openid_relying_party type and contains the value 'one_of': ['private_key'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of | [""private_key""]",The token_endpoint_auth_method claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant if it is missing or empty",JWT parameter JSON presence,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of,The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro userinfo_encrypted_response_alg +x,TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +o,TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_enc-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_enc parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of,The userinfo_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro userinfo_encrypted_response_enc +o,TA-Entity Statement response RP-metadata_policy-userinfo_encrypted_response_enc-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_encrypted_response_enc parameter is present in the openid_relying_party type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of | [""A128CBC-HS256"" , ""A256CBC-HS512""]",The userinfo_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +x,TA-Entity Statement response RP-metadata_policy-userinfo_signed_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_signed_response_alg parameter is present in the openid_relying_party type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of,The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro userinfo_signed_response_alg +x,TA-Entity Statement response RP-metadata_policy-userinfo_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the userinfo_signed_response_alg parameter is present in the openid_relying_party type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response RP,Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of | [""RS256"", ""RS512""]",The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an RP,SPID_CIE_OIDC#TA-Metadata-Policy-for-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,TBD,failed,Manca parametro. metadata_policy contiene solo openid_provider ma รจ vuoto +,TA-Entity Statement response RP-release,TA's fetch Entity Statement Endpoint response regarding the Entity we are considering,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the TA's return the Entity Statement regarding the Entity we are considering, not compliant otherwise",HTTP parameter type,Correct Input,Entity Statement response RP,Does the TA correctly release the Entity statements,"After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.",TA,,Entity Statement response TA RP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),The Federation Authority or an Intermediary MUST publish the Leaf Entity Statement containing the Federation public keys of the onboarded Entity and the TMs released for it.,SPID_CIE_OIDC#Entity-Statement; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-signature,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the signature is verified, not compliant otherwise",JWT signature check,Correct Input,Entity Statement response RP,Does the TA correctly sign the Entity statements,"In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header",TA,,Entity Statement response TA RP | body | [^\r\n]* | X_key_TA,Entity Statements must be signed,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Signature non corretta +,TA-Entity Statement response RP-sub,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the sub parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the TA contain the sub parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | sub,The sub parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-trust_mark-claims,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the claims claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain the claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | claims,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro claims +,TA-Entity Statement response RP-trust_mark-claims-type,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the claims claim is a list of JSON Objects, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain a correct claims claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""claims"": {""type"": ""object"", ""additionalProperties"": {""type"": ""object""}}},""required"": [""claims""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the claims claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro claims +,TA-Entity Statement response RP-trust_mark-email,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the email claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | email,The issued Trust Marks must have the email claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro email +,TA-Entity Statement response RP-trust_mark-email-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the email claim is of type string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain the correct type of the email claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ""object "", ""properties "": { ""email "": { ""type "": ""string "", ""format "": ""email "" } }, ""required "": [ ""email ""] } ",The issued Trust Marks must have the email claim as string,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No email +,TA-Entity Statement response RP-trust_mark-exp,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the exp claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the exp claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | exp,The issued Trust Marks must have the exp claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro exp +x,TA-Entity Statement response RP-trust_mark-exp-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the exp claim is UNIX Timestamp, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain the exp type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""exp"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""exp""]}",The issued Trust Marks must have the exp claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No exp +,TA-Entity Statement response RP-trust_mark-fiscal_number-or-vat_number,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the fiscal_number or vat_number claim,nested JWT parameter type,Correct Input,Entity Statement response RP,Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim,"In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""fiscal_number"": {}, ""vat_number"":{}},""anyOf"":[{""required"":[""fiscal_number""]},{""required"":[""vat_number""]}]}},""required"":[""id_code""]}",The vat_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the fiscal_number claim. The fiscal_number claim is required in the id_code claim of Trust Marks issued for private Organizations if there is not the vat_number claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,[ORA] Manca id_code +,TA-Entity Statement response RP-trust_mark-iat,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iat claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the iat claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iat,The issued Trust Marks must have the iat claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-trust_mark-iat-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iat type is in UNIX Timestamp in the trust mark payload, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain the correct iat type,"In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""iat"": { ""type"": ""integer"", ""minimum"": 0 } }, ""required"": [""iat""]}",The issued Trust Marks must have the iat claim in UNIX Timestamp,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +,TA-Entity Statement response RP-trust_mark-id,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the id claim,"The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-trust_mark-id_code,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id_code claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain id_code claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id_code,The issued Trust Marks must have the id_code claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro id_code +,TA-Entity Statement response RP-trust_mark-id-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the id is 'openid_relying_party', 'openid_provider', 'intermediary' 'oauth_resource', whereas the trustmark profile is 'public' or private', not compliant otherwise",/ manual: wrong parameter,Correct Input,Entity Statement response RP,Does the Trust Mark contain a correct id claim,"The id of the trust mark must have the structure ///. So in this test, an issued Trust Mark must be taken, decrypted and the value of the id claim can be one among 'openid_relying_party', 'openid_provider', 'intermediary' 'oauth_resource', whereas the trustmark profile can be 'public' or 'private'",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | id | openid_relying_party | openid_provider | intermediate | oauth_resource,The issued Trust Marks must have the id claim. The id in the trust mark is an URL with the following structure: ///,SPID_CIE_OIDC#Trust-Mark-Composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-trust_mark-ipa_code,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim,nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | $.id_code.ipa_code,The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,[ORA] Manca id_code +,TA-Entity Statement response RP-trust_mark-ipa_code-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the ipa_code in the id_code claim of a trust mark is a string, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""id_code"": {""type"":""object"", ""properties"": {""ipa_code"": { ""type"":""string""}},""required"":[""ipa_code""]}},""required"":[""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,[ORA] Manca id_code +,TA-Entity Statement response RP-trust_mark-ipa_code-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,Compliant if the id_code claim of the trust mark in the trust marks parameter contains the ipa_code claim for public organizations,nested JWT parameter type,Correct Input,Entity Statement response RP,Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim,"In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": { ""id_code"": { ""type"": ""object"", ""properties"": {""ipa_code"": {}},""required"": [""ipa_code""]}},""required"": [""id_code""]}",The ipa_code claim is required in the id_code claim of Trust Marks issued for public Organizations.,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,,F,failed,[ORA] Manca id_code +x,TA-Entity Statement response RP-trust_mark-iss,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iss claim is present, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response RP-trust_mark-iss-value,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the iss claim is an URL identifying the TA, not compliant otherwise",nested JWT Check-Save to JWT,Correct Input,Entity Statement response RP,Does the Trust Mark contain a correct iss claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL",TA,Entity Configuration response TA | body | [^\r\n]* | payload | iss | valid_iss,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | iss,The issued Trust Marks must have the iss claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Active,M,Mismatch of parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-trust_mark-logo_uri,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the logo_uri claim is present in the trust_mark JWT in the trust_marks parameter, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | logo_uri,The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,Manca parametro logo_uri +,TA-Entity Statement response RP-trust_mark-logo_uri-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the logo_uri parameter in the trust mark in the trust marks parameter of the response is an URI, not compliant otherwise ",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain a correct logo_uri claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""logo_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""logo_uri""]}",The issued Trust Marks must have the logo_uri claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro logo_uri +,TA-Entity Statement response RP-trust_mark-organization_name,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the organization_name claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_name,The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro organization_name +x,TA-Entity Statement response RP-trust_mark-organization_name-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the organization_name claim is type string and has value ""public"" or ""private"", not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain the correct type of organization_name claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type "": ย ""object "", ""properties "": { ""organization_name "": { ""type "": ย ""string "", ""enum "": [ ""private "", ย ""public ""]}}, ""required "": [ ""organization_name ""]}",The issued Trust Marks must have the organization_name claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,No organization_name +,TA-Entity Statement response RP-trust_mark-organization_type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the organization_type claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | organization_type,The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro organization_type +,TA-Entity Statement response RP-trust_mark-organization_type-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the organization_type claim is 'public' or 'private', not compliant otherwise",JWT list values,Correct Input,Entity Statement response RP,Does the Trust Mark contain a correct organization_type claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | organization_type | [""public"", ""private""]",The issued Trust Marks must have the organization_type claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro organization_type +,TA-Entity Statement response RP-trust_mark-policy_uri,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the policy_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain the policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | policy_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro policy_uri +,TA-Entity Statement response RP-trust_mark-policy_uri-type,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the policy_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain a correct policy_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""policy_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""policy_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the policy_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro policy_uri +,TA-Entity Statement response RP-trust_mark-ref,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the ref claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | ref,The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response RP-trust_mark-ref-type,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the ref claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain an URL in the ref claim,"In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | { ""type"": ""object"", ""properties"": { ""ref"": { ""type"": ""string"", ""format"": ""uri"" } }, ""required"": [""ref""] }",The issued Trust Marks must have the ref claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +,TA-Entity Statement response RP-trust_mark-sa_profile-value,Trust Mark generated for an SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the sa_profile claim is 'full' or 'light', not compliant otherwise",nested JWT parameter values,Correct Input,Entity Statement response RP,Does the issued intermediary Trust Mark contain a correct sa_profile claim,"A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | sa_profile | [""light"", ""full""]","In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro sa_profile +,TA-Entity Statement response RP-trust_mark-service_documentation,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the service_documentation claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain the service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | service_documentation,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro service_documentation +,TA-Entity Statement response RP-trust_mark-service_documentation-type,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the service_documentation claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain a correct service_documentation claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""service_documentation"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""service_documentation""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the service_documentation claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro service_documentation +,TA-Entity Statement response RP-trust_mark-signature,Entity statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the signature is valid, not compliant otherwise",nested JWT signature check,Correct Input,Entity Statement response RP,Does the TA correctly sign the issued Trust Mark,"To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | X_key_TA,The Trust Marks (TM) are signed JWT,SPID_CIE_OIDC#Trust-Marks; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed, +,TA-Entity Statement response RP-trust_mark-sub,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the sub claim is present in the trust mark, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the Trust Mark contain sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sub,The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-trust_mark-sub-value,Trust Mark generated by TA or SA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the sub claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the Trust Mark contain a correct sub claim,"In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""sub"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""sub""]}",The issued Trust Marks must have the sub claim,SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +,TA-Entity Statement response RP-trust_mark-tos_uri,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the tos_uri claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain the tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | tos_uri,"In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro tos_uri +,TA-Entity Statement response RP-trust_mark-tos_uri-type,Trust Mark generated for an AA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the tos_uri claim is an URL, not compliant otherwise",nested JWT parameter type,Correct Input,Entity Statement response RP,Does the issued oauth_resource Trust Mark contain a correct tos_uri claim,"In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL",TA,,"Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks[0].trust_mark | payload | | {""type"": ""object"", ""properties"": {""tos_uri"": {""type"": ""string"", ""format"": ""uri-reference""}}, ""required"": [""tos_uri""]}","In addition to the claims of the public and private profiles, the profile oauth_resource identifies the AA and adds the tos_uri claim:",SPID_CIE_OIDC#Trust-Mark-composition; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#composizione-dei-trust-mark,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,P,F,failed,Manca parametro tos_uri +,TA-Entity Statement response RP-trust_marks,Entity Statement issued by the TA,Entity Statement response TA RP,Trigger Entity Statement response TA RP,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Statement response RP,Does Entity Statements issued by the TA contain the trust_marks parameter,"In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked",TA,,Entity Statement response TA RP | body | [^\r\n]* | payload | trust_marks,The trust_marks parameter is required in the Entity Statement released by the TA,SPID_CIE_OIDC#Entity-Statements; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#id2,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,TA-Entity Statement response SA-metadata_policy-client_registration_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the client_registration_types parameter is present in the intermediary type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.client_registration_types.subset_of,The client_registration_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-client_registration_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the client_registration_types parameter is present in the intermediary type and contains the value 'one_of': ['automatic'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.client_registration_types.subset_of | [""automatic""]",The client_registration_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-grant_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the grant_types parameter is present in the intermediary type and it contains the key 'subset_of', not compliant otherwise",JWT parameter type,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct grant_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | .metadata_policy.intermediary.grant_types | {""type"": ""object"", ""properties"": {""subset_of"": {}, ""superset_of"": {}}, ""required"": [""subset_of""], [""superset_of""]}",The grant_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,L,Type mismatch,,,,,,,From the trust marks table I assumed the correct type is intermediary,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-grant_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the grant_types parameter is present in the intermediary type and it contains the value 'subset_of: [authorization_code, refresh_token]', not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct grant_types parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.grant_types.subset_of | [""authorization_code"", ""refresh_token]",The grant_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,From the trust marks table I assumed the correct type is intermediary,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_encrypted_response_alg parameter is present in the intermediary type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encrypted_response_alg.one_of,The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_encrypted_response_alg parameter is present in the intermediary type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encrypted_response_alg.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_enc-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_encrypted_response_enc parameter is present in the intermediary type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encrypted_response_enc.one_of,The id_token_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-id_token_encrypted_response_enc-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_encrypted_response_enc parameter is present in the intermediary type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encrypted_response_enc.one_of | [""A128CBC-HS256"", ""A256CBC-HS512""]",The id_token_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-id_token_signed_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_signed_response_alg parameter is present in the intermediary type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_signed_response_alg.one_of,The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-id_token_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_signed_response_alg parameter is present in the intermediary type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_signed_response_alg.one_of | [""RS256"", ""RS512""]",The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-incorrect-id_token_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_encrypted_response_alg parameter is present in the intermediary type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_encrypted_response_alg.one_of | [""RSA_1_5""]",The id_token_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-incorrect-id_token_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the id_token_signed_response_alg parameter is present in the intermediary type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not Compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.id_token_signed_response_alg.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The id_token_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-incorrect-userinfo_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_encrypted_response_alg parameter is present in the intermediary type and the key 'subset_of' does not contain the value ['RSA_1_5'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of | [""RSA_1_5""]",The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-incorrect-userinfo_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_signed_response_alg parameter is present in the intermediary type and the key 'subset_of' does not contain the values ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signed_response_alg.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +,TA-Entity Statement response SA-metadata_policy-response_types-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if theresponse_types parameter is present in the intermediary type and it contains the key 'value', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct response_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.response_types.value,The response_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,From the trust marks table I assumed the correct type is intermediary,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +,TA-Entity Statement response SA-metadata_policy-response_types-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if theresponse_types parameter is present in the intermediary type and it contains the key 'value', not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct response_types parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.openid_relying_party.response_types.value | [""code""]",The response_types claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,From the trust marks table I assumed the correct type is intermediary,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-token_endpoint_auth_method-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the token_endpoint_auth_method parameter is present in the intermediary type and contains the key 'one_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.token_endpoint_auth_method.one_of,The token_endpoint_auth_method claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-token_endpoint_auth_method-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the token_endpoint_auth_method parameter is present in the intermediary type and contains the value 'one_of': ['private_key'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.token_endpoint_auth_method.one_of | [""private_key""]",The token_endpoint_auth_method claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_encrypted_response_alg parameter is present in the intermediary type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of,The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_encrypted_response_alg parameter is present in the intermediary type and contains the value 'subset_of': ['RSA-OAEP', 'RSA-OAEP-256'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of | [""RSA-OAEP"", ""RSA-OAEP-256""]",The userinfo_encrypted_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_enc-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_encrypted_response_enc parameter is present in the intermediary type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of,The userinfo_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-userinfo_encrypted_response_enc-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_encrypted_response_enc parameter is present in the intermediary type and contains the value 'subset_of': ['A128CBC-HS256', 'A256CBC-HS512'], not compliant otherwise",JWT list parameter contains,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of | [""A128CBC-HS256"", ""A256CBC-HS512""]",The userinfo_encrypted_response_enc claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-userinfo_signed_response_alg-key,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_signed_response_alg parameter is present in the intermediary type and contains the key 'subset_of', not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signed_response_alg.one_of,The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-metadata_policy-userinfo_signed_response_alg-value,Metadata policy in an Entity Statement issued by the TA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the userinfo_signed_response_alg parameter is present in the intermediary type and contains the value 'subset_of': ['RS256', 'RS512'], not compliant if it is missing or empty",JWT list parameter contains,Correct Input,Entity Statement response SA,Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value,"In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']",TA,,"Entity Statement response TA SA | body | [^\r\n]* | payload | metadata_policy.intermediary.userinfo_signed_response_alg.one_of | [""RS256"", ""RS512""]",The userinfo_signed_response_alg claim MUST be considered in the metadata parameter of type 'openid_relying_party' within the policy that the TA establishes for an SA,SPID_CIE_OIDC#TA-Metadata-Policy-for-SA; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_statement.html#metadata-policy,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,N_A,not_applicable,Entity Statement response SA +x,TA-Entity Statement response SA-trust_mark-sa_profile,Trust Mark generated for an SA,Entity Statement response TA SA,Trigger Entity Statement response TA SA,"Compliant if the sa_profile claim is present in the trust mark payload, not compliant otherwise",nested JWT parameter presence,Correct Input,Entity Statement response SA,Does the issued intermediary Trust Mark contain the sa_profile claim,"A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.",TA,,Entity Statement response TA SA | body | [^\r\n]* | payload | trust_marks | trust_mark | payload | sa_profile,"In addition to the claims of the public and private profiles, the profile intermediary identifies the SA and adds the extensions full and light in the sa_profile claim, according to the ways of operation towards the subordinate Entities.",SPID_CIE_OIDC#federation_entity-Trust-Mark; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#federation-entity-trust-mark,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Non supportato,N_A,N_A,not_applicable,Manca parametro sa_profile +x,TA-Fetch Entity Statement response OP-exposed,Fetch Entity Statement Endpoint endpoint response,Fetch Entity Statement response TA OP,Trigger Fetch Entity Statement response TA OP,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Fetch Entity Statement response OP,Does the Entity expose the fetch entity statement endpoint,"In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.",TA,,Fetch Entity Statement response TA OP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the fetch entity statement endpoint. It returns the ESs regarding a direct subordinate subject. For obtaining the ES of an Entity, at least its Entity identifier is needed",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Fetch Entity Statement response TA OP +,TA-Fetch Entity Statement response RP-exposed,Fetch Entity Statement Endpoint endpoint response,Fetch Entity Statement response TA RP,Trigger Fetch Entity Statement response TA RP,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Fetch Entity Statement response RP,Does the Entity expose the fetch entity statement endpoint,"In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.",TA,,Fetch Entity Statement response TA RP | body | ([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the fetch entity statement endpoint. It returns the ESs regarding a direct subordinate subject. For obtaining the ES of an Entity, at least its Entity identifier is needed",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Fetch Entity Statement response TA RP +x,TA-Public Keys History response-published,TA's public keys history response,TA's public keys history response,Trigger Public Keys History response,"Compliant if the response contains a JWT, not compliant otherwise",HTTP parameter type,Correct Input,Public Keys History response,Does the TA publish the federation public key history,An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed,TA,,"Public Keys History response | body | \[\s*""[^""]*""(?:,\s*""[^""]*"")*\s*\]$","In order to enable the verification of messages exchanged by Entities participating in the federation and their Trust Chains, the TA MUST publish the federation public key history (JWKS) within a registry made available to all participants via the /.well-known/openid-federation-jwks endpoint.",SPID_CIE_OIDC#Retention-Policy; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/log_management.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Public Keys History response +x,TA-Trust Mark status response OP-exposed-OP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response TA OP,HTTP 200 OK response containing the claim 'active' set to true,/ manual: status code,Correct Input,Trust Mark status response OP,Does the TA Trust Mark Status endpoint effectively verify valid Trust Marks of OP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the OP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",TA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,L,Return wrong status code,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Problema implementazione,F,F,failed,[SAME] Manca trust_mark in OP in EC +x,TA-Trust Mark status response OP-not_valid-trust_mark-OP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response OP,Does the TA's trust mark status endpoint correctly refuses a not-valid id Trust Marks OP,"In order to check if the trust mark status endpoint of a TA correctly refuses invalid trust marks OP, a invalid trust mark can be sent to the endpoint and the response analyzed",TA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,,P,P,passed, +x,TA-Trust Mark status response RP-exposed-RP,Trust Mark Status Response,Trust Mark status endpoint response,Trigger Trust Mark status response TA RP,HTTP 200 OK response containing the claim 'active' set to true,/ manual: check flow,Correct Input,Trust Mark status response RP,Does the TA Trust Mark Status endpoint effectively verify valid Trust Marks of RP,"To check if the trust mark status endpoint accurately verifies valid trust marks, valid trust marks obtained directly from the RP Entity Configuration response can be sent to the endpoint dynamically according to the 'iss' of the trust mark, and the response can be analyzed.",TA,,,"In addition to the Federation endpoints reported before, the Entities of type TA or SA MUST provide the trust mark status endpoint. It allows an Entity to test if a TM is still active or not.",SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,,P,P,passed, +x,TA-Trust Mark status response RP-not_valid-trust_mark-RP,Trust Mark status endpoint response,Trust Mark status endpoint response,Trust Mark status request with a non-valid Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response RP,Does the TA's trust mark status endpoint correctly refuses a not-valid id Trust Marks RP,"In order to check if the trust mark status endpoint of a TA correctly refuses invalid trust marks RP, a invalid trust mark can be sent to the endpoint and the response analyzed",TA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,,P,P,passed, +x,TA-Trust Mark status response-different-entity-trust_mark,Trust Mark status endpoint response,Trust Mark status response TA (endpoint response),Trust Mark status invalid request,"Compliant if the Trust Mark status response is an HTTP 400 because of invalid_request, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response,Does the TA checks Trust Marks not issued by the Entity,"In this test, a valid Trust Mark issued by another entity is sent to an TA. If it validates the Trust Mark, than is not compliant with the specifications",TA,,,trust mark status endpoint: allows an Entity to test if a TM is still active or not. The request MUST be sent to the subject that has released that TM.,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 - active: false +o,TA-Trust Mark status response-revocated-trust_mark,Trust Mark status endpoint response,Trust Mark status response TA (endpoint response),Trust Mark status endpoint request with invalidated Trust Mark,"Compliant if the response contains an active claim set to false, not compliant otherwise",/ manual: TM check content,Wrong Input,Trust Mark status response,Does the TA invalidate revocated trust marks,"In order to check if a TA correctly invalidate a Trust Mark, a Trust Mark revocation request on a Trust Mark has to be made and then the trust mark status endpoint must be fetched. If the response says that the trust mark is invalid, than it is correctly invalidated, otherwise the TA is not compliant with the specification",TA,,,"A Trust Mark can be revoked at any moment only and exclusively by the issuing subject. In case of TM revocation, the dynamic validation gives a negative result",SPID_CIE_OIDC#Trust-Marks-Revocation; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_marks.html#revoca-dei-trust-mark,OIDC Federation,Active,H,The severity is based on whether the TM is still active or not,,,,,,,,FALSE,,,yes,"[""s1-logout""]",E,Messaggio non presente,N_A,N_A,not_applicable, \ No newline at end of file diff --git a/tools/testplan-to-mr/testplan-to-mr.py b/tools/testplan-to-mr/testplan-to-mr.py index 86f99ac..7ceaf3c 100644 --- a/tools/testplan-to-mr/testplan-to-mr.py +++ b/tools/testplan-to-mr/testplan-to-mr.py @@ -232,6 +232,10 @@ def createJson(table: pd.DataFrame, pattern: str, entity: str) -> list: #handling errors global flag + + message_split = [msg.replace("X_key_ALL", "X_key_"+entity) if "X_key_ALL" in msg else msg for msg in message_split] + message_split = [msg.replace("X_url_ALL", "X_key_"+entity) if "X_url_ALL" in msg else msg for msg in message_split] + used_item = deepcopy(message_split) template = json.load(openfile) From ef13f1bec2bd2bc160ce4ef887cbc5151cbf69e8 Mon Sep 17 00:00:00 2001 From: marche271 Date: Wed, 10 Apr 2024 12:45:14 +0200 Subject: [PATCH 4/5] Update testplan to check one occurence + added ALL in their entity --- .../wrong_input-JWT parameter not in.json | 37 + ...uration response-correct-content-type.json | 33 + ...figuration response-correct-http-code.json | 32 + ...ntity Configuration response-exp-type.json | 39 + ...ALL-Entity Configuration response-exp.json | 39 + ...Entity Configuration response-exposed.json | 32 + ...ntity Configuration response-iat-type.json | 39 + ...ALL-Entity Configuration response-iat.json | 39 + ...ALL-Entity Configuration response-iss.json | 39 + ...L-Entity Configuration response-issue.json | 32 + ...LL-Entity Configuration response-jwks.json | 39 + ...ponse-metadata-federation_entity-once.json | 48 + ...adata-oauth_authorization_server-once.json | 48 + ...response-metadata-oauth_resource-once.json | 48 + ...esponse-metadata-openid_provider-once.json | 48 + ...se-metadata-openid_relying_party-once.json | 48 + ... Configuration response-metadata-type.json | 39 + ...onfiguration response-metadata-value.json} | 6 +- ...ntity Configuration response-metadata.json | 39 + ...ity Configuration response-signature.json} | 0 ...ity Configuration response-sub-value.json} | 2 +- ...ALL-Entity Configuration response-sub.json | 39 + ...y Statement endpoint response-exposed.json | 32 + .../input/mig-t/tests/single/AA/All_AA.json | 721 +- .../mig-t/tests/single/AA/All_AA_Passive.json | 721 +- .../mig-t/tests/single/ALL_Session1.json | 20227 ++++++++-------- ...uration response-correct-content-type.json | 33 + ...figuration response-correct-http-code.json | 32 + ...ntity Configuration response-exp-type.json | 39 + ...ALL-Entity Configuration response-exp.json | 39 + ...Entity Configuration response-exposed.json | 32 + ...ntity Configuration response-iat-type.json | 39 + ...ALL-Entity Configuration response-iat.json | 39 + ...ALL-Entity Configuration response-iss.json | 39 + ...L-Entity Configuration response-issue.json | 32 + ...LL-Entity Configuration response-jwks.json | 39 + ...ponse-metadata-federation_entity-once.json | 48 + ...adata-oauth_authorization_server-once.json | 48 + ...response-metadata-oauth_resource-once.json | 48 + ...esponse-metadata-openid_provider-once.json | 48 + ...se-metadata-openid_relying_party-once.json | 48 + ... Configuration response-metadata-type.json | 39 + ...onfiguration response-metadata-value.json} | 6 +- ...ntity Configuration response-metadata.json | 39 + ...ity Configuration response-signature.json} | 0 ...ity Configuration response-sub-value.json} | 2 +- ...ALL-Entity Configuration response-sub.json | 39 + ...y Statement endpoint response-exposed.json | 32 + .../input/mig-t/tests/single/OP/All_OP.json | 7989 +++--- .../mig-t/tests/single/OP/All_OP_Passive.json | 2223 +- .../input/mig-t/tests/single/PASSIVE.json | 13077 +++++----- ...uration response-correct-content-type.json | 33 + ...figuration response-correct-http-code.json | 32 + ...ntity Configuration response-exp-type.json | 39 + ...ALL-Entity Configuration response-exp.json | 39 + ...Entity Configuration response-exposed.json | 32 + ...ntity Configuration response-iat-type.json | 39 + ...ALL-Entity Configuration response-iat.json | 39 + ...ALL-Entity Configuration response-iss.json | 39 + ...L-Entity Configuration response-issue.json | 32 + ...LL-Entity Configuration response-jwks.json | 39 + ...ponse-metadata-federation_entity-once.json | 48 + ...adata-oauth_authorization_server-once.json | 48 + ...response-metadata-oauth_resource-once.json | 48 + ...esponse-metadata-openid_provider-once.json | 48 + ...se-metadata-openid_relying_party-once.json | 48 + ... Configuration response-metadata-type.json | 39 + ...onfiguration response-metadata-value.json} | 6 +- ...ntity Configuration response-metadata.json | 39 + ...ity Configuration response-signature.json} | 0 ...ity Configuration response-sub-value.json} | 4 +- ...ALL-Entity Configuration response-sub.json | 39 + ...y Statement endpoint response-exposed.json | 32 + .../input/mig-t/tests/single/RP/All_RP.json | 2935 +-- .../mig-t/tests/single/RP/All_RP_Passive.json | 2369 +- ...uration response-correct-content-type.json | 33 + ...figuration response-correct-http-code.json | 32 + ...ntity Configuration response-exp-type.json | 39 + ...ALL-Entity Configuration response-exp.json | 39 + ...Entity Configuration response-exposed.json | 32 + ...ntity Configuration response-iat-type.json | 39 + ...ALL-Entity Configuration response-iat.json | 39 + ...ALL-Entity Configuration response-iss.json | 39 + ...L-Entity Configuration response-issue.json | 32 + ...LL-Entity Configuration response-jwks.json | 39 + ...ponse-metadata-federation_entity-once.json | 48 + ...adata-oauth_authorization_server-once.json | 48 + ...response-metadata-oauth_resource-once.json | 48 + ...esponse-metadata-openid_provider-once.json | 48 + ...se-metadata-openid_relying_party-once.json | 48 + ... Configuration response-metadata-type.json | 39 + ...onfiguration response-metadata-value.json} | 6 +- ...ntity Configuration response-metadata.json | 39 + ...ity Configuration response-signature.json} | 0 ...ity Configuration response-sub-value.json} | 4 +- ...ALL-Entity Configuration response-sub.json | 39 + ...y Statement endpoint response-exposed.json | 32 + .../input/mig-t/tests/single/SA/All_SA.json | 2565 +- .../mig-t/tests/single/SA/All_SA_Passive.json | 2565 +- ... Statement response RP-trust_mark-iat.json | 10 +- ...uration response-correct-content-type.json | 33 + ...figuration response-correct-http-code.json | 32 + ...ntity Configuration response-exp-type.json | 39 + ...ALL-Entity Configuration response-exp.json | 39 + ...Entity Configuration response-exposed.json | 32 + ...ntity Configuration response-iat-type.json | 39 + ...ALL-Entity Configuration response-iat.json | 39 + ...ALL-Entity Configuration response-iss.json | 39 + ...L-Entity Configuration response-issue.json | 32 + ...LL-Entity Configuration response-jwks.json | 39 + ...ponse-metadata-federation_entity-once.json | 48 + ...adata-oauth_authorization_server-once.json | 48 + ...response-metadata-oauth_resource-once.json | 48 + ...esponse-metadata-openid_provider-once.json | 48 + ...se-metadata-openid_relying_party-once.json | 48 + ... Configuration response-metadata-type.json | 39 + ...onfiguration response-metadata-value.json} | 6 +- ...ntity Configuration response-metadata.json | 39 + ...ity Configuration response-signature.json} | 0 ...ity Configuration response-sub-value.json} | 4 +- ...ALL-Entity Configuration response-sub.json | 39 + ...y Statement endpoint response-exposed.json | 32 + .../input/mig-t/tests/single/TA/All_TA.json | 4679 ++-- .../mig-t/tests/single/TA/All_TA_Passive.json | 4517 ++-- testplans/spid-cie-oidc/testplan.csv | 23 +- tools/testplan-to-mr/testplan-to-mr.py | 15 +- 126 files changed, 38084 insertions(+), 30395 deletions(-) create mode 100644 testplans/spid-cie-oidc/config/testplan-to-mr/templates/wrong_input-JWT parameter not in.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-correct-content-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-correct-http-code.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-exp-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-exp.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-exposed.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-iat-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-iat.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-iss.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-issue.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-jwks.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-federation_entity-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-oauth_resource-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-openid_provider-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-openid_relying_party-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-type.json rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/{AA-Entity Configuration response-metadata-value.json => ALL-Entity Configuration response-metadata-value.json} (59%) create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata.json rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/{AA-Entity Configuration response-signature.json => ALL-Entity Configuration response-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/{AA-Entity Configuration response-sub-value.json => ALL-Entity Configuration response-sub-value.json} (94%) create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-sub.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Resolve Entity Statement endpoint response-exposed.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-correct-content-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-correct-http-code.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-exp-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-exp.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-exposed.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-iat-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-iat.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-iss.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-issue.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-jwks.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-federation_entity-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-oauth_resource-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-openid_provider-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-openid_relying_party-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-type.json rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/{OP-Entity Configuration response-metadata-value.json => ALL-Entity Configuration response-metadata-value.json} (59%) create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata.json rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/{OP-Entity Configuration response-signature.json => ALL-Entity Configuration response-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/{OP-Entity Configuration response-sub-value.json => ALL-Entity Configuration response-sub-value.json} (96%) create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-sub.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Resolve Entity Statement endpoint response-exposed.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-correct-content-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-correct-http-code.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-exp-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-exp.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-exposed.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-iat-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-iat.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-iss.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-issue.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-jwks.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-federation_entity-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-oauth_resource-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-openid_provider-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-openid_relying_party-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-type.json rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/{RP-Entity Configuration response-metadata-value.json => ALL-Entity Configuration response-metadata-value.json} (59%) create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata.json rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/{RP-Entity Configuration response-signature.json => ALL-Entity Configuration response-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/{RP-Entity Configuration response-sub-value.json => ALL-Entity Configuration response-sub-value.json} (90%) create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-sub.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Resolve Entity Statement endpoint response-exposed.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-correct-content-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-correct-http-code.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-exp-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-exp.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-exposed.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-iat-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-iat.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-iss.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-issue.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-jwks.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-federation_entity-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-oauth_resource-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-openid_provider-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-openid_relying_party-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-type.json rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Configuration response-metadata-value.json => ALL-Entity Configuration response-metadata-value.json} (59%) create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata.json rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Configuration response-signature.json => ALL-Entity Configuration response-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/{SA-Entity Configuration response-sub-value.json => ALL-Entity Configuration response-sub-value.json} (90%) create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-sub.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Resolve Entity Statement endpoint response-exposed.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-correct-content-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-correct-http-code.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-exp-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-exp.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-exposed.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-iat-type.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-iat.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-iss.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-issue.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-jwks.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-federation_entity-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-oauth_resource-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-openid_provider-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-openid_relying_party-once.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-type.json rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response-metadata-value.json => ALL-Entity Configuration response-metadata-value.json} (59%) create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata.json rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response-signature.json => ALL-Entity Configuration response-signature.json} (100%) rename testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/{TA-Entity Configuration response-sub-value.json => ALL-Entity Configuration response-sub-value.json} (90%) create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-sub.json create mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Resolve Entity Statement endpoint response-exposed.json diff --git a/testplans/spid-cie-oidc/config/testplan-to-mr/templates/wrong_input-JWT parameter not in.json b/testplans/spid-cie-oidc/config/testplan-to-mr/templates/wrong_input-JWT parameter not in.json new file mode 100644 index 0000000..31a1052 --- /dev/null +++ b/testplans/spid-cie-oidc/config/testplan-to-mr/templates/wrong_input-JWT parameter not in.json @@ -0,0 +1,37 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "var0", + "description": "var1", + "type": "passive", + "sessions": "session0", + "operations": [ + { + "message type": "var2", + "decode operations": [ + { + "from": "var3", + "decode param": "var4", + "type": "jwt", + "checks": [ + { + "in": "var5", + "check": "$var6", + "not matches regex": "var7" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-correct-content-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-correct-content-type.json new file mode 100644 index 0000000..6f32ab4 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-correct-content-type.json @@ -0,0 +1,33 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-correct-http-code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-correct-http-code.json new file mode 100644 index 0000000..9a9cb91 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-correct-http-code.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-exp-type.json new file mode 100644 index 0000000..e6f4303 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-exp-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-exp.json new file mode 100644 index 0000000..d03ac70 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-exp.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-exposed.json new file mode 100644 index 0000000..fa86292 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-exposed.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-iat-type.json new file mode 100644 index 0000000..a648d44 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-iat-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-iat.json new file mode 100644 index 0000000..769efaa --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-iat.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-iss.json new file mode 100644 index 0000000..d558991 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-iss.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-issue.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-issue.json new file mode 100644 index 0000000..dbe618b --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-issue.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-jwks.json new file mode 100644 index 0000000..5f81156 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-jwks.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-federation_entity-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-federation_entity-once.json new file mode 100644 index 0000000..9a39893 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-federation_entity-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json new file mode 100644 index 0000000..bdbfd5f --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-oauth_resource-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-oauth_resource-once.json new file mode 100644 index 0000000..073ab17 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-oauth_resource-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-openid_provider-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-openid_provider-once.json new file mode 100644 index 0000000..3a8b3fa --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-openid_provider-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-openid_relying_party-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-openid_relying_party-once.json new file mode 100644 index 0000000..f943c97 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-openid_relying_party-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-type.json new file mode 100644 index 0000000..dbdc9ff --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-value.json similarity index 59% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-value.json index 75de9cc..d35a33b 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-metadata-value.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata-value.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -25,7 +25,7 @@ { "in": "payload", "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata.json new file mode 100644 index 0000000..85beb42 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-metadata.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-sub-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-sub-value.json similarity index 94% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-sub-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-sub-value.json index e171895..1fef3d9 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/AA-Entity Configuration response-sub-value.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-sub-value.json @@ -7,7 +7,7 @@ "tests": [ { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", + "name": "Does entity configuration OP contain a correct sub parameter", "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-sub.json new file mode 100644 index 0000000..c90fc03 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Entity Configuration response-sub.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Resolve Entity Statement endpoint response-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Resolve Entity Statement endpoint response-exposed.json new file mode 100644 index 0000000..2fb4169 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/ALL-Resolve Entity Statement endpoint response-exposed.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json index ca939e7..bc8ff5a 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA.json @@ -5,6 +5,201 @@ "filter messages": true }, "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { "name": "Does the entity return a correct HTTP code in the EC response", @@ -53,8 +248,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -65,16 +260,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -86,8 +278,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -98,14 +290,17 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -118,8 +313,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -130,15 +325,17 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -151,62 +348,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response AA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response AA", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -217,15 +360,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" - } - ] + "jwt check sig": "X_key_AA" } ] } @@ -235,8 +372,8 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -247,13 +384,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" } ] } @@ -265,8 +402,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -277,13 +414,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -295,8 +432,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -307,13 +444,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -325,8 +462,8 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -337,13 +474,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" } ] } @@ -355,8 +492,8 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -367,13 +504,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" } ] } @@ -385,8 +522,8 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -397,13 +534,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" } ] } @@ -415,8 +552,8 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -427,13 +564,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -445,8 +582,8 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" @@ -457,13 +594,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -475,8 +612,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -487,13 +624,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -505,8 +642,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -517,13 +654,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -535,8 +672,8 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -547,13 +684,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -565,8 +702,8 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -582,8 +719,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -595,8 +735,8 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -612,8 +752,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_resource.resource", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -625,8 +767,8 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -642,8 +784,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -655,8 +800,8 @@ }, { "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -672,7 +817,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", "is present": "true" } ] @@ -685,8 +830,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -702,7 +847,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -715,8 +860,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -732,7 +877,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", "is present": "true" } ] @@ -745,8 +890,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -762,7 +907,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -775,8 +920,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -784,11 +929,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" + } + ] } ] } @@ -798,20 +950,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "is present": "true" + } + ] } ] } @@ -821,8 +980,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -833,18 +992,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -856,8 +1010,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -868,18 +1022,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.oauth_authorization_server.issuer", + "is present": "true" } ] } @@ -891,8 +1040,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -903,13 +1052,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + "check": "$.metadata.oauth_authorization_server.jwks", + "is present": "true" } ] } @@ -921,8 +1070,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -933,13 +1082,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -951,8 +1100,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -963,13 +1112,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "is present": "true" } ] } @@ -981,8 +1130,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -993,13 +1142,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "is present": "true" } ] } @@ -1011,8 +1160,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1023,13 +1172,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -1041,8 +1190,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1053,13 +1202,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -1071,8 +1220,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1083,13 +1232,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.oauth_resource.resource", + "is present": "true" } ] } @@ -1101,8 +1250,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1113,13 +1262,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.oauth_authorization_server.response_types_supported", + "is present": "true" } ] } @@ -1131,8 +1280,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1143,13 +1292,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.oauth_authorization_server.scopes_supported", + "is present": "true" } ] } @@ -1161,8 +1310,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1173,13 +1322,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.oauth_authorization_server.token_endpoint", + "is present": "true" } ] } @@ -1191,8 +1340,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1203,13 +1352,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -1221,8 +1370,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1233,13 +1382,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } @@ -1491,8 +1640,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -1500,12 +1649,58 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_AA" + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json index ca939e7..bc8ff5a 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/AA/All_AA_Passive.json @@ -5,6 +5,201 @@ "filter messages": true }, "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { "name": "Does the entity return a correct HTTP code in the EC response", @@ -53,8 +248,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -65,16 +260,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -86,8 +278,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -98,14 +290,17 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -118,8 +313,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -130,15 +325,17 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -151,62 +348,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response AA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response AA", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -217,15 +360,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" - } - ] + "jwt check sig": "X_key_AA" } ] } @@ -235,8 +372,8 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -247,13 +384,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" } ] } @@ -265,8 +402,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -277,13 +414,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -295,8 +432,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -307,13 +444,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -325,8 +462,8 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -337,13 +474,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" } ] } @@ -355,8 +492,8 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -367,13 +504,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" } ] } @@ -385,8 +522,8 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -397,13 +534,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" } ] } @@ -415,8 +552,8 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -427,13 +564,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -445,8 +582,8 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" @@ -457,13 +594,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -475,8 +612,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -487,13 +624,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -505,8 +642,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -517,13 +654,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -535,8 +672,8 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -547,13 +684,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -565,8 +702,8 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -582,8 +719,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -595,8 +735,8 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -612,8 +752,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_resource.resource", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -625,8 +767,8 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -642,8 +784,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -655,8 +800,8 @@ }, { "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -672,7 +817,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", "is present": "true" } ] @@ -685,8 +830,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -702,7 +847,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -715,8 +860,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -732,7 +877,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", "is present": "true" } ] @@ -745,8 +890,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -762,7 +907,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -775,8 +920,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -784,11 +929,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" + } + ] } ] } @@ -798,20 +950,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "is present": "true" + } + ] } ] } @@ -821,8 +980,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -833,18 +992,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -856,8 +1010,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -868,18 +1022,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.oauth_authorization_server.issuer", + "is present": "true" } ] } @@ -891,8 +1040,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -903,13 +1052,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + "check": "$.metadata.oauth_authorization_server.jwks", + "is present": "true" } ] } @@ -921,8 +1070,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -933,13 +1082,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -951,8 +1100,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -963,13 +1112,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "is present": "true" } ] } @@ -981,8 +1130,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -993,13 +1142,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "is present": "true" } ] } @@ -1011,8 +1160,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1023,13 +1172,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -1041,8 +1190,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1053,13 +1202,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -1071,8 +1220,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1083,13 +1232,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.oauth_resource.resource", + "is present": "true" } ] } @@ -1101,8 +1250,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1113,13 +1262,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.oauth_authorization_server.response_types_supported", + "is present": "true" } ] } @@ -1131,8 +1280,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1143,13 +1292,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.oauth_authorization_server.scopes_supported", + "is present": "true" } ] } @@ -1161,8 +1310,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1173,13 +1322,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.oauth_authorization_server.token_endpoint", + "is present": "true" } ] } @@ -1191,8 +1340,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1203,13 +1352,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -1221,8 +1370,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1233,13 +1382,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } @@ -1491,8 +1640,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -1500,12 +1649,58 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_AA" + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json index 23e5760..12f9b96 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/ALL_Session1.json @@ -7,54 +7,120 @@ "tests": [ { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the client_id parameter", + "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "" + }, + { + "jwt sign": "X_key_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the JWT payload contain a correct sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", + "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", "type": "active", "sessions": [ "s1" @@ -68,389 +134,553 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ], - "checks": [ + "jwt edit": "$.code_challenge", + "value": "" + }, { - "use variable": "true", - "in": "payload", - "check": "$.sub", - "contains": "saved_iss" + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", + "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the nonce parameter", + "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the scope parameter", + "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the state parameter", + "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "jwt from": "payload", + "jwt edit": "$.state", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", + "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", + "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", + "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", + "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", + "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", + "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", "type": "active", "sessions": [ "s1" @@ -473,8 +703,11 @@ "edits": [ { "jwt from": "payload", - "jwt save": "$.client_id", - "as": "client_id" + "jwt edit": "$.iat", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -484,31 +717,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "client_id" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", + "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", "type": "active", "sessions": [ "s1" @@ -531,8 +759,11 @@ "edits": [ { "jwt from": "payload", - "jwt save": "$.iss", - "as": "iss" + "jwt edit": "$.nonce", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -542,31 +773,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "iss" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", + "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", + "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", "type": "active", "sessions": [ "s1" @@ -589,8 +815,11 @@ "edits": [ { "jwt from": "payload", - "jwt save": "$.redirect_uri", - "as": "redirect_uris" + "jwt edit": "$.prompt", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -600,31 +829,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "contains": "redirect_uris" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", + "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", + "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", "type": "active", "sessions": [ "s1" @@ -647,8 +871,11 @@ "edits": [ { "jwt from": "payload", - "jwt save": "$.response_type", - "as": "response_types_supported" + "jwt edit": "$.response_type", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -658,31 +885,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "contains": "response_types_supported" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "unsupported_response_type" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", + "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", + "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", "type": "active", "sessions": [ "s1" @@ -696,17 +918,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt save": "$.metadata.openid_relying_party.client_id", - "as": "client_id" + "jwt edit": "$.scope", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -716,31 +941,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", - "decode operations": [ + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "client_id" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_scope" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", + "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", "type": "active", "sessions": [ "s1" @@ -754,17 +974,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" + "jwt edit": "$.state", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -774,1387 +997,2266 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", - "decode operations": [ + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.aud[0]", - "contains": "saved_iss" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the acr_values parameter", + "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the aud parameter", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the claims parameter", + "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the exp parameter", + "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'grant_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iat parameter", + "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iss parameter", + "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the prompt parameter", + "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", + "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the response_type parameter", + "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", - "type": "passive", + "name": "Does the OP refuse an RP without trusted Trust Marks", + "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.trust_marks", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", - "type": "passive", + "name": "Does the OP correctly validate the trust chain of an RP authentication request", + "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.authority_hints", + "value": "https://www.wrongsite.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_client" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", + "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", + "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Request with a wrong redirect URI", + "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", - "type": "passive", + "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.aud[0]", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", - "type": "passive", + "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.signed_jwks_uri", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", - "type": "passive", + "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", - "type": "passive", + "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", - "type": "passive", + "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", - "type": "passive", + "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", - "type": "passive", + "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", - "type": "passive", + "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Resolve Entity Statement response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", - "type": "passive", + "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", + "type": "active", "sessions": [ "s_CIE_introsp" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Introspection request", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Revocation request", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ - { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token request", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "POST", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", - "type": "passive", + "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", - "type": "passive", + "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Authentication request", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", - "type": "passive", + "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", - "type": "passive", + "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", - "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response RP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Token request", "decode operations": [ { "from": "body", "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Token request", "decode operations": [ { "from": "body", "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token request", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Revocation Request contain correct client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", "type": "active", "sessions": [ "s1" @@ -2168,12 +3270,22 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Token request", + "decode operations": [ { "from": "body", - "value": "https://example.com", - "edit regex": "(?<=client_id=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] }, @@ -2181,15 +3293,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" }, { "in": "body", - "check": "invalid_client" + "check": "invalid_request" } ] } @@ -2198,58 +3310,216 @@ } }, { - "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response RP", - "decode operations": [ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_RP" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] } ] } - ] + ], + "result": "correct flow s1" } - ], - "result": "correct flow s1" - } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] }, { "test": { - "name": "Does the RP metadata contain correct value of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "[^\\n\\r]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is": "x_https_RP" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -2259,23 +3529,20 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "checks": [ { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -2285,27 +3552,20 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -2315,27 +3575,20 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -2345,27 +3598,20 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -2375,27 +3621,20 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the Introspection Endpoint Response have the active parameter", + "description": "To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "active" } ] } @@ -2405,27 +3644,20 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the Introspection Endpoint returns true on active tokens", + "description": "To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "\"active\": true" } ] } @@ -2435,27 +3667,20 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -2465,27 +3690,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.acr_values", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -2495,27 +3713,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.aud", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -2525,27 +3736,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -2555,27 +3759,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.client_id", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -2585,27 +3782,20 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.kid", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -2615,27 +3805,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "head", + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -2645,25 +3828,32 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] } ] } @@ -2675,25 +3865,29 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.nonce", - "is present": "true" + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -2705,28 +3899,41 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", - "type": "passive", + "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", + "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "message operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.prompt", - "is present": "true" - } - ] - } + "from": "body", + "edit": "(?<=token=)([^&]+)", + "in": "123.123.123" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } ] } ], @@ -2735,25 +3942,31 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.redirect_uri", - "is present": "true" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2765,25 +3978,26 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.response_type", - "is present": "true" + "in": "header", + "check": "$.cty", + "is": "JWT" } ] } @@ -2795,25 +4009,25 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is present": "true" + "check": "$.sub", + "is": "X_key_OP" } ] } @@ -2825,25 +4039,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.state", - "is present": "true" + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" } ] } @@ -2855,25 +4069,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.ui_locales", - "is present": "true" + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" } ] } @@ -2885,15 +4099,15 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", @@ -2902,8 +4116,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } @@ -2915,55 +4129,53 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the OP issue refresh tokens even when it is not supposed to", + "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.aud", - "is present": "true" - } - ] + "in": "body", + "check": "refresh_token", + "is present": false } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "in": "header", + "check": "$.alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -2975,27 +4187,20 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -3005,27 +4210,20 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -3035,27 +4233,20 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jti", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -3065,27 +4256,20 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the token response have Cache-Control set to 'no-store'", + "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "head", + "check param": "Cache-Control", + "contains": "no-store" } ] } @@ -3095,20 +4279,29 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -3118,20 +4311,32 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -3141,20 +4346,32 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -3164,20 +4381,32 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -3187,20 +4416,32 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -3210,20 +4451,29 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -3233,20 +4483,32 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -3256,20 +4518,48 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", - "type": "passive", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", + "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "message operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "url", + "save": "client_id", + "as": "auth_client_id" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "client_id", + "is": "auth_client_id", + "use variable": "true" + } + ] } ] } @@ -3279,20 +4569,48 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", - "type": "passive", + "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", + "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "message operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "url", + "save": "scope", + "as": "auth_scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "scope", + "is": "auth_scope", + "use variable": "true" + } + ] } ] } @@ -3302,965 +4620,1388 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", - "type": "passive", - "sessions": [ - "s_CIE_introsp" + "name": "Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT", + "description": "The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged", + "type": "active", + "sessions": [ + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "url", + "value": "openid", + "edit": "scope" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Revocation request", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the request parameter", + "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ + { + "from": "url", + "value": "", + "edit": "request" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the scope parameter in the URL", + "description": "An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request)", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ + { + "from": "url", + "value": "", + "edit": "scope" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with the request parameter that is not a JWT", + "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "edit operations": [ + { + "from": "url", + "value": "example", + "edit": "request" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { - "in": "body", - "is present": true, - "check regex": "token" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", - "type": "passive", + "name": "Does the OP accept introspection requests without the client assertion", + "description": "A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "is present": true, - "check regex": "client_assertion" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", - "type": "passive", + "name": "Does the OP accept introspection requests without the client assertion type", + "description": "An introspection request without the client_assertion_type parameter is sent and the response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", - "type": "passive", + "name": "Does the OP accept introspection requests without the client id", + "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "is present": true, - "check regex": "client_id" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", - "type": "passive", + "name": "How does the OP behave when receiving an introspection request without the token", + "description": "An introspection request without a token is sent and the introspection response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=token=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "is present": true, - "check regex": "code" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", - "type": "passive", + "name": "Does the OP accept introspection requests with a wrong client assertion type", + "description": "An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "X_wrong_value", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "is present": true, - "check regex": "code_verifier" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", - "type": "passive", + "name": "Does the OP verify the client id of the Introspection Request", + "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "https://www.example.com/", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "is present": true, - "check regex": "grant_type" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", - "type": "passive", + "name": "Does the OP verify the parameters of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Revocation request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "X_wrong_value", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "is present": true, - "check regex": "token" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", - "type": "passive", + "name": "How does the OP behave when receiving an introspection request with a wrong token", + "description": "An introspection request with a token not valid is sent and the introspection response analyzed", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "UserInfo request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", + "edit operations": [ + { + "from": "body", + "value": "X_not_valid_tkn", + "edit regex": "(?<=token=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", "checks": [ { "in": "head", - "is present": true, - "check param": "Authorization" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", - "type": "passive", + "name": "Does the OP verify the presence of token in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_RP" + "value": "", + "edit regex": "(?<=token=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token request", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "jwt check sig": "X_key_core_RP" + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", - "type": "passive", + "name": "Does the OP accept revocation request without the client assertion", + "description": "In order to verify if the OP checks the presence of the client_assertion parameter in a revocation request, such a request is sent without the client_assertion and the OP's response is analyzed", + "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", - "type": "passive", + "name": "Does the OP accept Revocation Requests without the client assertion type", + "description": "To test if an OP verifies the presence of the client assertion type in the Revocation request, a request withiout client assertion type is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Revocation request", - "checks": [ + "edit operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Token request", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", - "type": "passive", + "name": "Does the OP accept Revocation Requests without the client id", + "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.", + "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ + }, { - "message type": "Introspection request", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "check": "client_id", - "is": "X_url_RP" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", - "type": "passive", + "name": "Does the OP verify the client assertion type of the Revocation Request", + "description": "To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Revocation request", + "edit operations": [ + { + "from": "body", + "value": "urn-ietf", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", - "type": "passive", + "name": "Does the OP verify the client id of the Revocation Request", + "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ + { + "from": "body", + "value": "https://www.example.com/", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", - "type": "passive", + "name": "Does the token response to a token request made without the client_assertion parameter return a Token Error response", + "description": "This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Token request", - "checks": [ + "edit operations": [ + { + "from": "body", + "value": "", + "edit regex": "(?<=client_assertion=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, { "in": "body", - "check": "client_id", - "is": "X_https_RP" + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", - "type": "passive", + "name": "Does the token response to a token request made without the client_assertion_type parameter return a Token Error response", + "description": "This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "value": "", + "edit regex": "(?<=client_assertion_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", - "type": "passive", + "name": "Does the OP require the client_id in the token request", + "description": "This test consists in sending a token request without the client_id parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" - ] - } - ] + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", - "type": "passive", + "name": "Does the token response to a token request made without the code parameter return a Token Error response", + "description": "This test consists in sending a token request without the code parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "value": "", + "edit regex": "(?<=code=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_grant" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", - "type": "passive", + "name": "Does the token response to a token request made without the code_verifier parameter return a Token Error response", + "description": "This test consists in sending a token request without the code_verifier parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=code_verifier=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_grant" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", - "type": "passive", + "name": "Does the token response to a token request made without the grant_type parameter return a Token Error response", + "description": "This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.acr_values", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" - ] - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=grant_type=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Authentication request", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.prompt", - "is in": [ - "consent", - "consent login" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", - "type": "passive", + "name": "Does the OP check the client_id in the request", + "description": "In this test the client_id parameter in the URL of the token request is removed and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.scope", - "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" - ] - } - ] + "from": "body", + "value": "", + "edit regex": "(?<=client_id=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", - "type": "passive", + "name": "Does the token response to a token request made with an incorrect client_assertion_type parameter return a Token Error response", + "description": "This test consists in sending a token request with a wrong client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "value": "urn-aert", + "edit regex": "(?<=client_assertion_type=)([^&]+)" } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Revocation response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", - "type": "passive", + "name": "Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response", + "description": "This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ + { + "from": "body", + "value": "X_wrong_code", + "edit regex": "(?<=code=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_grant" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", - "type": "passive", + "name": "Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response", + "description": "This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ + { + "from": "body", + "value": "X_wrong_code", + "edit regex": "(?<=code_verifier=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", - "type": "passive", + "name": "Does the OP checks that the token request contains the grant_type parameter set correctly", + "description": "In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] - } - ] + "value": "example", + "edit regex": "(?<=grant_type=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "unsupported_grant_type" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "How does the OP behave when the token in the userinfo request is missing", + "description": "A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "UserInfo request", + "edit operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported[0]", - "is in": [ - "automatic" - ] - } - ] + "from": "head", + "value": "", + "edit": "Authorization" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "UserInfo response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -4271,17 +6012,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] - } - ] + "jwt check sig": "X_key_OP" } ] } @@ -4291,30 +6024,21 @@ }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -4324,30 +6048,21 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -4357,8 +6072,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -4369,16 +6084,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -4390,8 +6102,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -4402,16 +6114,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -4423,8 +6132,8 @@ }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -4435,15 +6144,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -4455,8 +6162,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -4467,16 +6174,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -4488,8 +6192,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" @@ -4500,16 +6204,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" } ] } @@ -4521,8 +6222,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" @@ -4533,16 +6234,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" - ] + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" } ] } @@ -4554,8 +6252,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -4566,15 +6264,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -4586,8 +6282,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -4598,15 +6294,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } @@ -4618,8 +6312,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -4630,18 +6324,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -4653,27 +6342,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -4685,27 +6372,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", - "is in": [ - "private_key_jwt" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -4717,28 +6402,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -4750,28 +6432,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -4783,28 +6462,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -4816,28 +6492,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -4849,8 +6522,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -4861,17 +6534,13 @@ "decode operations": [ { "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -4883,21 +6552,27 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "(?<=id_token: \")([^\"]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -4907,21 +6582,27 @@ }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + } + ] } ] } @@ -4931,50 +6612,29 @@ }, { "test": { - "name": "Does the OP refuse wrongly signed Authentication Requests", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", - "type": "active", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "unauthorized_client" - } - ] } ], "result": "correct flow s1" @@ -4982,50 +6642,33 @@ }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", - "type": "active", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -5033,50 +6676,31 @@ }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", - "type": "active", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -5084,50 +6708,31 @@ }, { "test": { - "name": "Does the token response to a token request made with a wrong signature return a Token Error response", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -5135,50 +6740,32 @@ }, { "test": { - "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", - "type": "active", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt sign": "X_wrong_key" + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], "result": "correct flow s1" @@ -5186,53 +6773,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", - "type": "active", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "use variable": "true", "in": "payload", - "check": "$.iss", - "contains": "saved_iss" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -5244,8 +6806,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -5261,8 +6823,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.jwks", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -5274,8 +6839,8 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -5291,8 +6856,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -5304,8 +6872,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" @@ -5321,8 +6889,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } @@ -5334,8 +6904,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -5351,8 +6921,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -5364,8 +6937,8 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -5381,8 +6954,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported", - "is present": "true" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -5394,8 +6970,8 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" @@ -5411,8 +6987,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_supported", - "is present": "true" + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" + ] } ] } @@ -5424,8 +7003,8 @@ }, { "test": { - "name": "Does the OP metadata contain the client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" @@ -5441,8 +7020,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported", - "is present": "true" + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" + ] } ] } @@ -5454,8 +7035,8 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" @@ -5471,8 +7052,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", - "is present": "true" + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" + ] } ] } @@ -5484,8 +7067,8 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" @@ -5501,8 +7084,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -5514,8 +7102,8 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" @@ -5531,8 +7119,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" + ] } ] } @@ -5544,8 +7134,8 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -5561,8 +7151,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] } ] } @@ -5574,8 +7166,8 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -5591,8 +7183,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -5604,8 +7199,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -5621,8 +7216,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -5634,8 +7232,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -5651,8 +7249,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -5664,8 +7265,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -5681,8 +7282,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -5694,25 +7298,29 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", - "is present": "true" + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -5724,24 +7332,25 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -5754,24 +7363,25 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "in": "header", + "check": "$.cty", "is present": "true" } ] @@ -5784,24 +7394,25 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "in": "header", + "check": "$.enc", "is present": "true" } ] @@ -5814,24 +7425,25 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -5844,8 +7456,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", "type": "passive", "sessions": [ "s1" @@ -5861,7 +7473,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "check": "$.metadata.openid_provider.jwks", "is present": "true" } ] @@ -5874,8 +7486,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -5891,7 +7503,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "check": "$.metadata.openid_provider.acr_values_supported", "is present": "true" } ] @@ -5904,8 +7516,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -5921,7 +7533,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "check": "$.metadata.openid_provider.authorization_endpoint", "is present": "true" } ] @@ -5934,8 +7546,8 @@ }, { "test": { - "name": "Does the OP metadata contain the request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5951,7 +7563,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", "is present": "true" } ] @@ -5964,8 +7576,8 @@ }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5981,7 +7593,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", + "check": "$.metadata.openid_provider.claims_parameter_supported", "is present": "true" } ] @@ -5994,8 +7606,8 @@ }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -6011,7 +7623,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", + "check": "$.metadata.openid_provider.claims_supported", "is present": "true" } ] @@ -6024,8 +7636,8 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -6041,7 +7653,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", + "check": "$.metadata.openid_provider.client_registration_types_supported", "is present": "true" } ] @@ -6054,8 +7666,8 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6071,7 +7683,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "check": "$.metadata.openid_provider.code_challenge_methods_supported", "is present": "true" } ] @@ -6084,8 +7696,8 @@ }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -6101,7 +7713,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -6114,8 +7726,8 @@ }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -6131,7 +7743,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -6144,8 +7756,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6161,7 +7773,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", + "check": "$.metadata.openid_provider.grant_types_supported", "is present": "true" } ] @@ -6174,8 +7786,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -6191,7 +7803,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -6204,8 +7816,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6221,7 +7833,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", "is present": "true" } ] @@ -6234,8 +7846,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6251,7 +7863,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", "is present": "true" } ] @@ -6264,8 +7876,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6281,7 +7893,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", "is present": "true" } ] @@ -6294,8 +7906,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -6311,7 +7923,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", + "check": "$.metadata.openid_provider.introspection_endpoint", "is present": "true" } ] @@ -6324,8 +7936,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6341,7 +7953,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "check": "$.metadata.openid_provider.issuer", "is present": "true" } ] @@ -6354,8 +7966,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -6371,7 +7983,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -6384,8 +7996,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -6393,11 +8005,18 @@ "operations": [ { "message type": "Entity Configuration response OP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" + } + ] } ] } @@ -6407,43 +8026,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" + } + ] } ] } @@ -6453,20 +8056,27 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "is present": "true" + } + ] } ] } @@ -6476,20 +8086,27 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -6499,20 +8116,27 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -6522,32 +8146,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" - ] + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported", + "is present": "true" } ] } @@ -6559,29 +8176,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported", + "is present": "true" } ] } @@ -6593,25 +8206,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported", "is present": "true" } ] @@ -6624,25 +8236,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.cty", + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint", "is present": "true" } ] @@ -6655,25 +8266,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", "is present": "true" } ] @@ -6686,25 +8296,24 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported", "is present": "true" } ] @@ -6717,8 +8326,8 @@ }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6729,15 +8338,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.subject_types_supported", + "is present": "true" } ] } @@ -6749,8 +8356,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -6761,18 +8368,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.token_endpoint", + "is present": "true" } ] } @@ -6784,8 +8386,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6796,18 +8398,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -6819,8 +8416,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -6831,18 +8428,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } @@ -6854,8 +8446,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6866,18 +8458,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "is present": "true" } ] } @@ -6889,8 +8476,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -6901,15 +8488,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", + "is present": "true" } ] } @@ -6921,8 +8506,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -6933,18 +8518,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.userinfo_endpoint", + "is present": "true" } ] } @@ -6956,61 +8536,38 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", - "type": "active", + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "header", - "jwt edit": "alg", - "value": "none" + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" @@ -7021,13 +8578,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" } ] } @@ -7039,8 +8596,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7056,8 +8613,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -7069,8 +8626,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7086,8 +8643,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -7099,8 +8656,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7116,8 +8673,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -7129,8 +8686,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7141,13 +8698,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -7159,8 +8716,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7171,13 +8728,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata", + "is present": "true" } ] } @@ -7189,8 +8746,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7206,8 +8763,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + "check": "$.sub", + "is present": "true" } ] } @@ -7219,8 +8776,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7231,13 +8788,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.authority_hints", + "is present": "true" } ] } @@ -7249,8 +8806,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -7266,8 +8823,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.trust_marks", + "is present": "true" } ] } @@ -7279,8 +8836,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" @@ -7295,9 +8852,9 @@ "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -7309,8 +8866,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -7325,9 +8882,9 @@ "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -7339,8 +8896,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", "type": "passive", "sessions": [ "s1" @@ -7355,9 +8912,9 @@ "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "in": "header", + "check": "$.typ", + "is present": "true" } ] } @@ -7369,8 +8926,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -7386,8 +8943,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.aud", + "is present": "true" } ] } @@ -7399,8 +8956,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -7416,8 +8973,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "check": "$.client_id", + "is present": "true" } ] } @@ -7429,8 +8986,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -7446,8 +9003,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.exp", + "is present": "true" } ] } @@ -7459,8 +9016,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -7471,13 +9028,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.iat", + "is present": "true" } ] } @@ -7489,8 +9046,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" @@ -7501,13 +9058,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.iss", + "is present": "true" } ] } @@ -7519,8 +9076,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -7531,13 +9088,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.jti", + "is present": "true" } ] } @@ -7549,8 +9106,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" @@ -7561,13 +9118,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + "check": "$.scope", + "is present": "true" } ] } @@ -7579,36 +9136,16 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload and identify the client", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must identify the client issuing the request", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "message operations": [ - { - "from": "url", - "save": "client_id", - "as": "auth_client_id" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "decode operations": [ + "message type": "Token response", + "decode operations": [ { "from": "body", "decode param": "(?<=\"access_token\": \")[^\"]+", @@ -7616,9 +9153,8 @@ "checks": [ { "in": "payload", - "check": "client_id", - "is": "auth_client_id", - "use variable": "true" + "check": "$.sub", + "is present": "true" } ] } @@ -7630,46 +9166,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the 'scope' parameter in the Payload is checked, in particular, its value MUST match the value in the authentication request.", - "type": "active", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "message operations": [ - { - "from": "url", - "save": "scope", - "as": "auth_scope" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "scope", - "is": "auth_scope", - "use variable": "true" + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -7681,744 +9196,446 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with the scope parameter different in the URL and in the JWT", - "description": "The Authentication Request is intercepted and the iss parameter in the URL of the request (scope in the HTTP request) is modified to a valid value but different from the JWT's one. The same parameter in the JWT's payload is left unchanged", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "edit operations": [ - { - "from": "url", - "value": "openid", - "edit": "scope" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the request parameter", - "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request is missing the request parameter, than the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent without request parameter in the URL and the answer is analyzed", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "edit operations": [ - { - "from": "url", - "value": "", - "edit": "request" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.acr", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter in the URL", - "description": "An Authentication Request is sent without the scope parameter in the URL of the request (scope in the HTTP request)", - "type": "active", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "edit operations": [ - { - "from": "url", - "value": "", - "edit": "scope" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.at_hash", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with the request parameter that is not a JWT", - "description": "The 'request' parameter in an authentication request is crucial to authenticate and answer correctly. If a request has a request parameter, that is not a JWT, it means that the OP should refuse it. In order to test the OP's behavior, an Authenticaton request is sent with a random value in the request parameter in the URL and the answer is analyzed", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "edit operations": [ - { - "from": "url", - "value": "example", - "edit": "request" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept introspection requests without the client assertion", - "description": "A request to the introspection endpoint is made without the client assertion in it. The OP's response is analyzed", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Token response", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept introspection requests without the client assertion type", - "description": "An introspection request without the client_assertion_type parameter is sent and the response analyzed", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Token response", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept introspection requests without the client id", - "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request without the client id is sent and the response is analyzed.", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Token response", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "How does the OP behave when receiving an introspection request without the token", - "description": "An introspection request without a token is sent and the introspection response analyzed", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Token response", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=token=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept introspection requests with a wrong client assertion type", - "description": "An introspection request with a wrong value in the client_assertion_type parameter is sent and the response analyzed", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Token response", + "decode operations": [ { "from": "body", - "value": "X_wrong_value", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.nonce", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client id of the Introspection Request", - "description": "To test if an OP verifies the presence of the client id of the RP in the Introspection request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ + "message type": "Token response", + "decode operations": [ { "from": "body", - "value": "https://www.example.com/", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the parameters of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in sending a request with a wrong the parameter in the JWT present in the client_assertion parameter of the request and adapt the signature to make it correct. If the OP accepts the request anyway, then it does not verify the JWT.", - "type": "active", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ - { - "from": "body", - "value": "X_wrong_value", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", + "message type": "Entity Configuration response OP", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "How does the OP behave when receiving an introspection request with a wrong token", - "description": "An introspection request with a token not valid is sent and the introspection response analyzed", - "type": "active", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", - "edit operations": [ - { - "from": "body", - "value": "X_not_valid_tkn", - "edit regex": "(?<=token=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", + "message type": "Resolve Entity Statement response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of token in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request and remove token.", - "type": "active", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=token=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Authentication response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept revocation request without the client assertion", - "description": "In order to verify if the OP checks the presence of the client_assertion parameter in a revocation request, such a request is sent without the client_assertion and the OP's response is analyzed", - "type": "active", + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, { "in": "body", - "check": "invalid_client" + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept Revocation Requests without the client assertion type", - "description": "To test if an OP verifies the presence of the client assertion type in the Revocation request, a request withiout client assertion type is sent and the response is analyzed.", - "type": "active", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP accept Revocation Requests without the client id", - "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request without the client id is sent and the response is analyzed.", - "type": "active", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ - { - "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "UserInfo response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, { "in": "body", - "check": "invalid_client" + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client assertion type of the Revocation Request", - "description": "To test if an OP verifies the client assertion type in the Revocation request, a request with a wrong client_assertion_type parameter is sent and the response is analyzed.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", "type": "active", "sessions": [ "s1" @@ -8432,12 +9649,19 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "value": "urn-ietf", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ] } ] }, @@ -8445,118 +9669,195 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "saved_iss" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "check": "Content-Type", + "is": "application/json" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "checks": [ { "in": "body", - "check": "invalid_request" + "check": "token_type", + "is": "Bearer" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the client id of the Revocation Request", - "description": "To test if an OP verifies the presence of the client id of the RP in the Revocation request, a request with a wrong client id (not present in the federation) is sent and the response is analyzed.", - "type": "active", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "value": "https://www.example.com/", - "edit regex": "(?<=client_id=)([^&]+)" + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "UserInfo response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the client_assertion parameter return a Token Error response", - "description": "This test consists in sending a token request without the client_assertion parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Token response", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_assertion=)([^&]+)" + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, + "decode operations": [ { - "in": "body", - "check": "invalid_client" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the client_assertion_type parameter return a Token Error response", - "description": "This test consists in sending a token request without the client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", + "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", "type": "active", "sessions": [ "s1" @@ -8570,12 +9871,19 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Authentication request", + "decode operations": [ { - "from": "body", - "value": "", - "edit regex": "(?<=client_assertion_type=)([^&]+)" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "header", + "jwt edit": "alg", + "value": "none" + } + ] } ] }, @@ -8583,14 +9891,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", + "in": "head", "check": "invalid_request" } ] @@ -8601,8 +9909,8 @@ }, { "test": { - "name": "Does the OP require the client_id in the token request", - "description": "This test consists in sending a token request without the client_id parameter and analyzing the token response. The response must be a Token Error response.", + "name": "Does the OP refuse wrongly signed Authentication Requests", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", "type": "active", "sessions": [ "s1" @@ -8616,12 +9924,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Authentication request", + "decode operations": [ { - "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] } ] }, @@ -8629,29 +9942,29 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", - "check": "invalid_client" + "in": "head", + "check": "unauthorized_client" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the code parameter return a Token Error response", - "description": "This test consists in sending a token request without the code parameter and analyzing the token response. The response must be a Token Error response.", + "name": "Does the OP verify the signature of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -8662,12 +9975,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Introspection request", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=code=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] } ] }, @@ -8675,7 +9993,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Introspection response", "checks": [ { "in": "head", @@ -8683,18 +10001,18 @@ }, { "in": "body", - "check": "invalid_grant" + "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the code_verifier parameter return a Token Error response", - "description": "This test consists in sending a token request without the code_verifier parameter and analyzing the token response. The response must be a Token Error response.", + "name": "Does the OP verify the signature of the client assertion in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", "type": "active", "sessions": [ "s1" @@ -8708,12 +10026,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Revocation request", + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=code_verifier=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] } ] }, @@ -8721,7 +10044,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Revocation response", "checks": [ { "in": "head", @@ -8729,18 +10052,18 @@ }, { "in": "body", - "check": "invalid_grant" + "check": "invalid_request" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made without the grant_type parameter return a Token Error response", - "description": "This test consists in sending a token request without the grant_type parameter and analyzing the token response. The response must be a Token Error response.", + "name": "Does the token response to a token request made with a wrong signature return a Token Error response", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -8755,11 +10078,16 @@ "from session": "s1", "then": "forward", "message type": "Token request", - "edit operations": [ + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=grant_type=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] } ] }, @@ -8780,13 +10108,13 @@ ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP check the client_id in the request", - "description": "In this test the client_id parameter in the URL of the token request is removed and the response analyzed", + "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -8801,11 +10129,16 @@ "from session": "s1", "then": "forward", "message type": "Token request", - "edit operations": [ + "decode operations": [ { "from": "body", - "value": "", - "edit regex": "(?<=client_id=)([^&]+)" + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt sign": "X_wrong_key" + } + ] } ] }, @@ -8826,262 +10159,335 @@ ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { - "name": "Does the token response to a token request made with an incorrect client_assertion_type parameter return a Token Error response", - "description": "This test consists in sending a token request with a wrong client_assertion_type parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "urn-aert", - "edit regex": "(?<=client_assertion_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Configuration response RP", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect code parameter (i.e., not belonging to that client ID or a random code) return a Token Error response", - "description": "This test consists in sending a token request with a wrong code parameter (thus not for that client ID or a random code) and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "X_wrong_code", - "edit regex": "(?<=code=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Entity Configuration response RP", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_grant" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with an incorrect code_verifier parameter return a Token Error response", - "description": "This test consists in sending a token request with a wrong code_verifier parameter and analyzing the token response. The response must be a Token Error response.", - "type": "active", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "value": "X_wrong_code", - "edit regex": "(?<=code_verifier=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "in": "url", + "is present": true, + "check": "code_challenge" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP checks that the token request contains the grant_type parameter set correctly", - "description": "In order to validate if the OP checks the token request sent by the RP, in this test we send the grant_type parameter in the request set to and invalid value, just like 'example' and analyze the response", - "type": "active", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "edit operations": [ - { - "from": "body", - "value": "example", - "edit regex": "(?<=grant_type=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", + "message type": "Authentication request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "unsupported_grant_type" + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "How does the OP behave when the token in the userinfo request is missing", - "description": "A userinfo request without the 'Authorization: Bearer ...' field is made and the response analyzed", - "type": "active", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "UserInfo request", - "edit operations": [ - { - "from": "head", - "value": "", - "edit": "Authorization" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "UserInfo response", + "message type": "Authentication request", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "in": "url", + "is present": true, + "check": "client_id" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is": "X_url_OP" - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -9091,27 +10497,20 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", - "is": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -9121,27 +10520,20 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported.value", - "is": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -9151,27 +10543,20 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported.value", - "is": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -9181,52 +10566,43 @@ }, { "test": { - "name": "Does the OP issue refresh tokens even when it is not supposed to", - "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token response", + "message type": "Introspection request", "checks": [ { "in": "body", - "check": "refresh_token", - "is present": false + "is present": true, + "check regex": "client_id" } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -9236,27 +10612,20 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iat", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -9266,27 +10635,20 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.iss", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -9296,27 +10658,20 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -9326,27 +10681,20 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -9356,27 +10704,20 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -9386,27 +10727,20 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.authority_hints", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -9416,27 +10750,20 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -9446,27 +10773,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -9476,27 +10796,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.kid", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "code" } ] } @@ -9506,27 +10819,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.typ", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -9536,27 +10842,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.aud", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -9566,27 +10865,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.client_id", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -9596,27 +10888,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "head", + "is present": true, + "check param": "Authorization" } ] } @@ -9626,25 +10911,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.sub", + "is": "X_key_RP" } ] } @@ -9656,25 +10941,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" } ] } @@ -9686,25 +10971,33 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + ] } ] } @@ -9716,25 +11009,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is present": "true" + "check": "$.prompt", + "is in": [ + "consent", + "consent login" + ] } ] } @@ -9746,25 +11042,32 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" + ] } ] } @@ -9776,25 +11079,30 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -9806,25 +11114,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" + ] } ] } @@ -9836,25 +11146,30 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -9866,27 +11181,20 @@ }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.at_hash", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -9896,27 +11204,20 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.aud", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -9926,27 +11227,20 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.exp", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -9956,25 +11250,40 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the JWT payload contain a correct sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ], "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.sub", + "contains": "saved_iss" } ] } @@ -9986,25 +11295,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -10016,56 +11327,68 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", - "type": "passive", + "name": "Does the Revocation Request contain correct client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jti", - "is present": "true" - } - ] + "value": "https://example.com", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.nonce", - "is present": "true" - } + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" ] } ] @@ -10076,27 +11399,21 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.sub", - "is present": "true" - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -10106,20 +11423,21 @@ }, { "test": { - "name": "Does the Introspection Endpoint Response have the active parameter", - "description": "To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection response", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "active" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "jwt check sig": "X_key_core_RP" } ] } @@ -10129,20 +11447,27 @@ }, { "test": { - "name": "Does the Introspection Endpoint returns true on active tokens", - "description": "To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "\"active\": true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" + } + ] } ] } @@ -10152,20 +11477,27 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -10175,20 +11507,27 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -10198,20 +11537,27 @@ }, { "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] } ] } @@ -10221,20 +11567,27 @@ }, { "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "expires_in" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + } + ] } ] } @@ -10244,20 +11597,27 @@ }, { "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "id_token" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + } + ] } ] } @@ -10267,20 +11627,27 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + } + ] } ] } @@ -10290,20 +11657,27 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + } + ] } ] } @@ -10313,21 +11687,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_OP" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + } + ] } ] } @@ -10337,21 +11717,27 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\n\\r]*", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] } ] } @@ -10361,21 +11747,27 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" + } + ] } ] } @@ -10385,31 +11777,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" } ] } @@ -10421,20 +11807,27 @@ }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check": "Content-Type", - "is": "application/json" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + } + ] } ] } @@ -10444,20 +11837,27 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "check": "token_type", - "is": "Bearer" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + } + ] } ] } @@ -10467,26 +11867,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Token request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.cty", - "is": "JWT" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -10498,20 +11897,27 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "code" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -10521,20 +11927,29 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] + } + ] } ] } @@ -10544,20 +11959,30 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "state" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] + } + ] } ] } @@ -10567,20 +11992,30 @@ }, { "test": { - "name": "Does the token response have Cache-Control set to 'no-store'", - "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check param": "Cache-Control", - "contains": "no-store" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] + } + ] } ] } @@ -10590,40 +12025,30 @@ }, { "test": { - "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", - "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", - "type": "active", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "message operations": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { "from": "body", - "edit": "(?<=token=)([^&]+)", - "in": "123.123.123" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -10633,29 +12058,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" ] } ] @@ -10668,29 +12091,26 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" ] } ] @@ -10703,3331 +12123,2986 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", - "type": "active", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the client_id parameter", - "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", - "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", - "type": "active", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the nonce parameter", - "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter", - "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.client_registration_types", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the state parameter", - "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", - "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", - "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", - "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", - "type": "active", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", - "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681723540" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", - "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", - "type": "active", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681723540" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", - "type": "active", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "19az" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", - "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", - "type": "active", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", - "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", - "type": "active", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "unsupported_response_type" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", - "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", - "type": "active", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_scope" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", - "type": "active", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "19az" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the acr_values parameter", - "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", - "type": "active", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the aud parameter", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", - "type": "active", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.redirect_uris", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the claims parameter", - "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the exp parameter", - "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iat parameter", - "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iss parameter", - "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the prompt parameter", - "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", - "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the response_type parameter", - "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse an RP without trusted Trust Marks", - "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", - "type": "active", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.trust_marks", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly validate the trust chain of an RP authentication request", - "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", - "type": "active", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.authority_hints", - "value": "https://www.wrongsite.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_client" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", - "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", - "type": "active", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", - "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", - "type": "active", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Request with a wrong redirect URI", - "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", - "type": "active", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud[0]", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.acr_values", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.aud", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.client_id", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", - "type": "active", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.nonce", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.prompt", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.redirect_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.response_type", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.scope", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.state", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.ui_locales", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Token request", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Token request", "decode operations": [ { "from": "body", "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Revocation request", + "checks": [ + { + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Revocation request", + "checks": [ + { + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "checks": [ + { + "in": "body", + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "checks": [ + { + "in": "head", + "check regex": "POST", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "UserInfo request", + "checks": [ + { + "in": "head", + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.client_id", + "as": "client_id" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "contains": "client_id" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "contains": "iss" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.redirect_uri", + "as": "redirect_uris" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.metadata.openid_relying_party.redirect_uris", + "contains": "redirect_uris" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.response_type", + "as": "response_types_supported" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types[0]", + "contains": "response_types_supported" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.metadata.openid_relying_party.client_id", + "as": "client_id" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "client_id" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.aud[0]", + "contains": "saved_iss" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "check": "client_id", + "is": "X_url_RP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Revocation request", + "checks": [ + { + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "checks": [ + { + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "checks": [ + { + "in": "body", + "check": "client_id", + "is": "X_https_RP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] } ] } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] + ], + "result": "correct flow s1" } - ], - "result": "assert_only" - } + } + ] }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "abc" - }, - { - "jwt sign": "X_key_core_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Entity Configuration response SA", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Entity Configuration response SA", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "abc" - }, + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt sign": "X_key_core_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt sign": "X_key_core_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt sign": "X_key_core_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "abc" - }, + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt sign": "X_key_core_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", - "type": "active", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt sign": "X_key_core_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", - "type": "active", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt sign": "X_key_core_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", - "type": "active", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "https://www.example.com" - }, + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt sign": "X_key_core_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", - "type": "active", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681716340" - }, + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt sign": "X_key_core_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", - "type": "active", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681716340" - }, + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt sign": "X_key_core_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", - "type": "active", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt sign": "X_key_core_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", - "type": "active", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "https://www.example.com" - }, + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt sign": "X_key_core_RP" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -14040,20 +15115,34 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] + } + ] } ] } @@ -14063,20 +15152,34 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } + ] + } + ] } ] } @@ -14086,28 +15189,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -14120,26 +15226,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -14152,27 +15263,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -14185,27 +15300,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -14218,27 +15337,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } ] } ] @@ -14251,27 +15374,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -14284,27 +15411,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -14317,26 +15448,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -14349,26 +15485,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -14381,29 +15522,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -14416,26 +15559,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -14448,26 +15596,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } ] } ] @@ -14480,27 +15633,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -14513,27 +15670,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -14546,27 +15707,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -14579,27 +15744,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -14612,26 +15781,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } ] } ] @@ -14644,27 +15818,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -14677,27 +15855,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -14710,26 +15892,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -14742,26 +15929,34 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } ] } ] @@ -14769,31 +15964,41 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } ] } ] @@ -14801,20 +16006,22 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -14823,10 +16030,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$.sub", + "is": "X_key_SA" } ] } @@ -14838,28 +16043,26 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_SA" } ] } @@ -14871,27 +16074,26 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_SA" } ] } @@ -14903,30 +16105,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -14936,29 +16129,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" - ] - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -14968,30 +16153,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" - ] - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -15001,28 +16177,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -15034,15 +16207,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -15051,11 +16224,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -15067,15 +16237,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -15084,11 +16254,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -15100,15 +16267,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -15117,10 +16284,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -15132,27 +16297,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -15164,15 +16327,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -15181,11 +16344,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -15197,15 +16357,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15214,11 +16374,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -15230,15 +16387,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15247,11 +16404,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -15263,21 +16417,27 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -15287,99 +16447,75 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15416,7 +16552,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15453,7 +16589,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15490,7 +16626,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15520,14 +16656,14 @@ { "test": { "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15556,7 +16692,7 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", + "name": "Does the Trust Mark contain the id_code claim", "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ @@ -15564,7 +16700,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15593,15 +16729,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15615,7 +16751,7 @@ "checks": [ { "in": "payload", - "check": "$.id_code.ipa_code", + "check": "iss", "is present": "true" } ] @@ -15630,15 +16766,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15652,7 +16788,7 @@ "checks": [ { "in": "payload", - "check": "iss", + "check": "logo_uri", "is present": "true" } ] @@ -15667,15 +16803,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15689,7 +16825,7 @@ "checks": [ { "in": "payload", - "check": "logo_uri", + "check": "organization_name", "is present": "true" } ] @@ -15704,15 +16840,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15726,7 +16862,7 @@ "checks": [ { "in": "payload", - "check": "organization_name", + "check": "organization_type", "is present": "true" } ] @@ -15741,15 +16877,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15763,7 +16899,7 @@ "checks": [ { "in": "payload", - "check": "organization_type", + "check": "policy_uri", "is present": "true" } ] @@ -15778,15 +16914,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15800,7 +16936,7 @@ "checks": [ { "in": "payload", - "check": "policy_uri", + "check": "ref", "is present": "true" } ] @@ -15815,15 +16951,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15837,7 +16973,7 @@ "checks": [ { "in": "payload", - "check": "ref", + "check": "sa_profile", "is present": "true" } ] @@ -15853,14 +16989,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15889,15 +17025,15 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15927,14 +17063,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -15964,14 +17100,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16008,7 +17144,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16045,7 +17181,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16082,7 +17218,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16112,14 +17248,14 @@ { "test": { "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16148,7 +17284,7 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", + "name": "Does the Trust Mark contain the id_code claim", "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ @@ -16156,7 +17292,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16183,54 +17319,17 @@ "result": "correct flow s1" } }, - { - "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response TA RP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, { "test": { "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16267,7 +17366,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16304,7 +17403,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16341,7 +17440,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16371,14 +17470,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16415,7 +17514,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16444,52 +17543,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response TA RP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16503,7 +17565,7 @@ "checks": [ { "in": "payload", - "check": "sub", + "check": "sa_profile", "is present": "true" } ] @@ -16518,15 +17580,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16540,7 +17602,7 @@ "checks": [ { "in": "payload", - "check": "tos_uri", + "check": "service_documentation", "is present": "true" } ] @@ -16555,15 +17617,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -16577,7 +17639,7 @@ "checks": [ { "in": "payload", - "check": "sa_profile", + "check": "sub", "is present": "true" } ] @@ -16592,25 +17654,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -16622,15 +17691,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -16652,15 +17721,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -16682,15 +17751,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -16712,15 +17781,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -16742,15 +17811,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -16772,15 +17841,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -16802,15 +17871,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -16832,15 +17901,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -16862,15 +17931,15 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -16892,54 +17961,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response TA OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "check": "$.exp", "is present": "true" } ] @@ -16952,24 +17991,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "check": "$.iat", "is present": "true" } ] @@ -16982,24 +18021,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "check": "$.iss", "is present": "true" } ] @@ -17012,24 +18051,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "check": "$.jwks", "is present": "true" } ] @@ -17042,24 +18081,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "check": "$.metadata", "is present": "true" } ] @@ -17072,24 +18111,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "check": "$.sub", "is present": "true" } ] @@ -17102,24 +18141,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.trust_marks", "is present": "true" } ] @@ -17132,24 +18171,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "check": "$.constraints", "is present": "true" } ] @@ -17162,24 +18201,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "check": "$.exp", "is present": "true" } ] @@ -17192,24 +18231,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "check": "$.iat", "is present": "true" } ] @@ -17222,24 +18261,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", + "check": "$.iss", "is present": "true" } ] @@ -17252,24 +18291,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "check": "$.jwks", "is present": "true" } ] @@ -17282,24 +18321,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "check": "$.metadata_policy", "is present": "true" } ] @@ -17312,24 +18351,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "check": "$.sub", "is present": "true" } ] @@ -17342,24 +18381,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "check": "$.trust_marks", "is present": "true" } ] @@ -17372,24 +18411,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "check": "$.constraints", "is present": "true" } ] @@ -17402,24 +18441,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "check": "$.exp", "is present": "true" } ] @@ -17432,24 +18471,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "check": "$.iat", "is present": "true" } ] @@ -17462,24 +18501,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "check": "$.iss", "is present": "true" } ] @@ -17492,24 +18531,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.jwks", "is present": "true" } ] @@ -17522,24 +18561,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "check": "$.metadata_policy", "is present": "true" } ] @@ -17552,24 +18591,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "check": "$.sub", "is present": "true" } ] @@ -17582,24 +18621,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "check": "$.trust_marks", "is present": "true" } ] @@ -17612,27 +18651,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -17642,27 +18674,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -17672,27 +18697,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -17702,27 +18720,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -17732,27 +18743,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -17762,27 +18766,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -17792,55 +18789,53 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "client_assertion", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is present": "true" + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response TA SA", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -17852,55 +18847,53 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA RP", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "client_assertion", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response TA SA", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is present": "true" + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -17912,20 +18905,21 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "checks": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -17933,21 +18927,216 @@ "result": "correct flow s1" } }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", + "message type": "Entity Configuration response TA", "checks": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", "is present": "true" } ] @@ -17958,19 +19147,19 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", + "message type": "Entity Configuration response TA", "checks": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", "is present": "true" } ] @@ -17981,8 +19170,8 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" @@ -17990,11 +19179,25 @@ "operations": [ { "message type": "Entity Statement response TA OP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] + } + ] } ] } @@ -18004,20 +19207,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] + } + ] } ] } @@ -18027,20 +19244,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } + ] + } + ] } ] } @@ -18050,20 +19281,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] + } + ] } ] } @@ -18073,20 +19318,34 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] + } + ] } ] } @@ -18096,8 +19355,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -18108,14 +19367,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -18128,8 +19392,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -18140,17 +19404,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -18163,8 +19429,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -18175,17 +19441,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -18198,8 +19466,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -18210,14 +19478,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -18230,8 +19503,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -18242,17 +19515,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -18265,8 +19540,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -18277,17 +19552,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -18300,26 +19577,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -18332,29 +19614,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -18367,26 +19651,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -18399,29 +19688,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -18434,26 +19725,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -18466,29 +19762,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -18501,26 +19799,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } ] } ] @@ -18533,29 +19836,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -18568,25 +19873,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -18598,25 +19910,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -18628,25 +19947,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -18658,25 +19984,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -18688,25 +20021,32 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -18718,25 +20058,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -18748,25 +20095,32 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -18778,25 +20132,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -18808,25 +20169,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -18838,25 +20206,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -18868,25 +20243,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -18898,8 +20280,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -18910,56 +20292,80 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" @@ -18975,8 +20381,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", + "is subset of": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -18988,8 +20398,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" @@ -19005,8 +20415,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is subset of": [ + "S256" + ] } ] } @@ -19018,8 +20430,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" @@ -19035,8 +20447,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", + "is subset of": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -19048,8 +20463,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -19065,8 +20480,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -19078,8 +20496,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -19095,8 +20513,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -19108,8 +20529,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -19125,8 +20546,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -19138,8 +20562,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" @@ -19155,8 +20579,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" + ] } ] } @@ -19168,8 +20595,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" @@ -19185,8 +20612,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" + ] } ] } @@ -19198,8 +20627,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -19215,8 +20644,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -19228,8 +20659,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" @@ -19245,8 +20676,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -19258,8 +20694,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" @@ -19275,8 +20711,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" + ] } ] } @@ -19288,8 +20726,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -19305,8 +20743,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -19318,8 +20758,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -19335,8 +20775,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -19348,15 +20791,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19365,8 +20808,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -19378,15 +20824,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -19395,8 +20841,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -19408,8 +20857,8 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -19422,12 +20871,14 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -19439,8 +20890,8 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" @@ -19453,12 +20904,13 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -19470,15 +20922,15 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -19487,8 +20939,11 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -19500,59 +20955,27 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "iss", - "contains": "valid_iss" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -19565,59 +20988,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "iss", - "contains": "valid_iss" - } + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" ] } ] @@ -19630,15 +21020,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -19647,8 +21037,10 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" + ] } ] } @@ -19660,15 +21052,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -19677,8 +21069,10 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -19690,15 +21084,15 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -19707,8 +21101,10 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -19720,15 +21116,15 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -19737,8 +21133,11 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -19750,15 +21149,15 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -19767,8 +21166,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -19780,15 +21181,15 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -19797,8 +21198,11 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -19810,15 +21214,15 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -19827,8 +21231,10 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -19840,15 +21246,15 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -19857,8 +21263,11 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" + ] } ] } @@ -19870,15 +21279,15 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -19887,8 +21296,11 @@ "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -19900,15 +21312,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -19917,8 +21329,11 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -19930,15 +21345,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -19947,8 +21362,11 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -19960,15 +21378,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -19977,8 +21395,10 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -19990,15 +21410,15 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -20007,8 +21427,10 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -20020,15 +21442,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -20037,8 +21459,11 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -20050,15 +21475,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -20067,8 +21492,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -20080,15 +21508,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -20097,8 +21525,11 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -20110,15 +21541,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -20127,8 +21558,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.sub", + "is": "X_key_TA" } ] } @@ -20140,25 +21571,26 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.constraints", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -20170,8 +21602,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -20184,11 +21616,12 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_TA" } ] } @@ -20200,15 +21633,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -20216,9 +21649,12 @@ "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "in": "payload", + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -20230,8 +21666,8 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" @@ -20247,8 +21683,11 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -20260,15 +21699,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -20277,8 +21716,10 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -20290,15 +21731,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -20307,8 +21748,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -20320,15 +21766,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -20337,8 +21783,13 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -20350,15 +21801,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -20367,8 +21818,10 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -20380,15 +21833,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -20397,8 +21850,13 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -20410,21 +21868,32 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -20434,21 +21903,29 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] + } + ] } ] } @@ -20458,8 +21935,8 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -20472,7 +21949,18 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -20482,31 +21970,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -20519,31 +22002,29 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -20556,31 +22037,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -20593,31 +22069,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -20630,31 +22104,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -20667,31 +22136,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -20704,34 +22171,21 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -20741,8 +22195,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" @@ -20753,22 +22207,9 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -20778,34 +22219,21 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -20815,32 +22243,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -20852,32 +22273,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -20889,32 +22303,25 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -20926,32 +22333,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -20963,32 +22363,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -21000,32 +22393,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -21037,32 +22423,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -21074,32 +22453,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" } ] } @@ -21111,32 +22483,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -21148,32 +22513,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -21185,32 +22543,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } @@ -21222,32 +22573,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21259,32 +22603,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21296,32 +22633,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21333,32 +22663,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21370,32 +22693,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -21407,32 +22723,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21444,32 +22753,25 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21481,32 +22783,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -21518,32 +22813,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -21555,32 +22843,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21592,8 +22873,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -21609,11 +22890,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21625,15 +22903,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -21642,11 +22920,8 @@ "checks": [ { "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -21658,20 +22933,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -21681,20 +22963,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -21704,21 +22993,27 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -21728,99 +23023,75 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -21857,7 +23128,7 @@ ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -21894,7 +23165,7 @@ ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -21931,7 +23202,7 @@ ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -21961,14 +23232,14 @@ { "test": { "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -21997,7 +23268,7 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", + "name": "Does the Trust Mark contain id_code claim", "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ @@ -22005,7 +23276,7 @@ ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -22034,15 +23305,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -22056,7 +23327,7 @@ "checks": [ { "in": "payload", - "check": "iss", + "check": "$.id_code.ipa_code", "is present": "true" } ] @@ -22071,15 +23342,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -22093,7 +23364,7 @@ "checks": [ { "in": "payload", - "check": "logo_uri", + "check": "iss", "is present": "true" } ] @@ -22108,15 +23379,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -22130,7 +23401,7 @@ "checks": [ { "in": "payload", - "check": "organization_name", + "check": "logo_uri", "is present": "true" } ] @@ -22145,15 +23416,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -22167,7 +23438,7 @@ "checks": [ { "in": "payload", - "check": "organization_type", + "check": "organization_name", "is present": "true" } ] @@ -22182,15 +23453,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -22204,7 +23475,7 @@ "checks": [ { "in": "payload", - "check": "policy_uri", + "check": "organization_type", "is present": "true" } ] @@ -22219,15 +23490,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -22241,7 +23512,7 @@ "checks": [ { "in": "payload", - "check": "ref", + "check": "policy_uri", "is present": "true" } ] @@ -22256,15 +23527,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -22278,7 +23549,7 @@ "checks": [ { "in": "payload", - "check": "sa_profile", + "check": "ref", "is present": "true" } ] @@ -22294,14 +23565,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -22330,15 +23601,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -22368,14 +23639,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -22405,14 +23676,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22449,7 +23720,7 @@ ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22486,7 +23757,7 @@ ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22523,7 +23794,7 @@ ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22553,14 +23824,14 @@ { "test": { "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22589,7 +23860,7 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", + "name": "Does the Trust Mark contain id_code claim", "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ @@ -22597,7 +23868,7 @@ ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22626,15 +23897,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22648,7 +23919,7 @@ "checks": [ { "in": "payload", - "check": "iss", + "check": "$.id_code.ipa_code", "is present": "true" } ] @@ -22663,15 +23934,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22685,7 +23956,7 @@ "checks": [ { "in": "payload", - "check": "logo_uri", + "check": "iss", "is present": "true" } ] @@ -22700,15 +23971,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22722,7 +23993,7 @@ "checks": [ { "in": "payload", - "check": "organization_name", + "check": "logo_uri", "is present": "true" } ] @@ -22737,15 +24008,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22759,7 +24030,7 @@ "checks": [ { "in": "payload", - "check": "organization_type", + "check": "organization_name", "is present": "true" } ] @@ -22774,15 +24045,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22796,7 +24067,7 @@ "checks": [ { "in": "payload", - "check": "policy_uri", + "check": "organization_type", "is present": "true" } ] @@ -22811,15 +24082,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22833,7 +24104,7 @@ "checks": [ { "in": "payload", - "check": "ref", + "check": "policy_uri", "is present": "true" } ] @@ -22848,15 +24119,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22870,7 +24141,7 @@ "checks": [ { "in": "payload", - "check": "sa_profile", + "check": "ref", "is present": "true" } ] @@ -22886,14 +24157,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22922,15 +24193,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -22960,147 +24231,31 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ - { - "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", - "sessions": [ - "s1" - ], - "operations": [ - { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA OP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", - "sessions": [ - "s1" - ], - "operations": [ - { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + { + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -23112,25 +24267,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -23142,15 +24304,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -23159,7 +24321,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "check": "$.constraints.max_path_length", "is present": "true" } ] @@ -23172,15 +24334,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -23189,7 +24351,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -23202,15 +24364,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -23219,7 +24381,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -23232,15 +24394,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -23249,7 +24411,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -23262,15 +24424,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -23279,7 +24441,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -23292,15 +24454,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -23309,7 +24471,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -23322,15 +24484,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -23339,7 +24501,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -23352,15 +24514,15 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -23369,7 +24531,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -23382,20 +24544,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" + } + ] } ] } @@ -23405,20 +24574,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" + } + ] } ] } @@ -23428,20 +24604,27 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" + } + ] } ] } @@ -23451,20 +24634,27 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "is present": "true" + } + ] } ] } @@ -23474,20 +24664,27 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "is present": "true" + } + ] } ] } @@ -23497,20 +24694,27 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "is present": "true" + } + ] } ] } @@ -23520,25 +24724,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" } ] } @@ -23550,25 +24754,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" } ] } @@ -23580,25 +24784,25 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is present": "true" } ] } @@ -23610,25 +24814,25 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.jwks", + "is present": "true" } ] } @@ -23640,25 +24844,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } @@ -23670,25 +24874,25 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "is present": "true" } ] } @@ -23700,25 +24904,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "is present": "true" } ] } @@ -23730,25 +24934,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", + "is present": "true" } ] } @@ -23760,25 +24964,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is present": "true" } ] } @@ -23790,25 +24994,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is present": "true" } ] } @@ -23820,25 +25024,25 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is present": "true" } ] } @@ -23850,26 +25054,25 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is present": "true" } ] } @@ -23881,26 +25084,25 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is present": "true" } ] } @@ -23912,25 +25114,25 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -23942,24 +25144,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -23972,24 +25174,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -24002,24 +25204,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -24032,24 +25234,24 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -24062,24 +25264,24 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -24092,24 +25294,24 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -24122,24 +25324,24 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -24152,24 +25354,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", "is present": "true" } ] @@ -24182,24 +25384,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -24212,24 +25414,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -24242,24 +25444,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -24272,24 +25474,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -24302,24 +25504,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -24332,24 +25534,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -24362,24 +25564,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -24392,24 +25594,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -24422,15 +25624,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -24452,15 +25654,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -24482,15 +25684,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -24512,15 +25714,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -24542,15 +25744,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -24559,7 +25761,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata", "is present": "true" } ] @@ -24572,15 +25774,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -24602,15 +25804,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -24619,7 +25821,7 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.constraints", "is present": "true" } ] @@ -24632,21 +25834,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -24656,21 +25864,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.trust_mark_issuers", + "is present": "true" + } + ] } ] } @@ -24680,21 +25894,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.constraints", + "is present": "true" + } + ] } ] } @@ -24704,32 +25924,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -24741,32 +25954,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -24778,32 +25984,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -24815,32 +26014,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -24852,32 +26044,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -24889,32 +26074,25 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -24926,32 +26104,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -24963,32 +26134,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -25000,32 +26164,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -25037,32 +26194,25 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -25074,32 +26224,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -25111,32 +26254,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -25148,32 +26284,25 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -25185,32 +26314,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -25222,32 +26344,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -25259,32 +26374,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -25296,34 +26404,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -25333,34 +26427,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -25370,34 +26450,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -25407,34 +26473,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Statement response TA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -25444,34 +26496,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Statement response TA RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -25481,34 +26519,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -25518,34 +26542,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -25555,34 +26565,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Public Keys History response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -25592,34 +26588,21 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "message type": "Entity Configuration response TA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -25630,56 +26613,46 @@ { "test": { "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", - "type": "passive", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response SA RP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", @@ -25687,9 +26660,10 @@ "decode param": "$.trust_marks[0].trust_mark", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + "check": "iss", + "contains": "valid_iss" } ] } @@ -25703,57 +26677,47 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", - "type": "passive", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "edits": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response SA RP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", @@ -25761,9 +26725,10 @@ "decode param": "$.trust_marks[0].trust_mark", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + "check": "iss", + "contains": "valid_iss" } ] } @@ -25776,189 +26741,199 @@ } }, { - "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", + "message type": "Entity Configuration response AA", "decode operations": [ { - "from": "jwt payload", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" } ] } ] } - ] + ], + "result": "correct flow s1" } - ], - "result": "correct flow s1" - } + } + ] }, { - "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", + "message type": "Entity Configuration response AA", "decode operations": [ { - "from": "jwt payload", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" } ] } ] } - ] + ], + "result": "correct flow s1" } - ], - "result": "correct flow s1" - } + } + ] }, { - "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", + "message type": "Entity Configuration response AA", "decode operations": [ { - "from": "jwt payload", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" } ] } ] } - ] + ], + "result": "correct flow s1" } - ], - "result": "correct flow s1" - } + } + ] }, { - "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", + "message type": "Entity Configuration response AA", "decode operations": [ { - "from": "jwt payload", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" } ] } ] } - ] + ], + "result": "correct flow s1" } - ], - "result": "correct flow s1" - } + } + ] }, { - "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", + "message type": "Entity Configuration response AA", "decode operations": [ { - "from": "jwt payload", + "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" } ] } ] } - ] + ], + "result": "correct flow s1" } - ], - "result": "correct flow s1" - } + } + ] }, { "test": { @@ -25985,31 +26960,8 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response AA", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -26017,21 +26969,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -26041,8 +26983,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -26053,15 +26995,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" - ] + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -26073,8 +27013,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -26085,15 +27025,17 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -26106,32 +27048,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response AA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -26142,13 +27060,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -26160,8 +27083,8 @@ }, { "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -26172,15 +27095,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" - } - ] + "jwt check sig": "X_key_AA" } ] } @@ -26190,8 +27107,8 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -26202,13 +27119,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" } ] } @@ -26220,8 +27137,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -26232,13 +27149,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -26250,8 +27167,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -26262,13 +27179,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -26280,8 +27197,8 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -26292,13 +27209,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" } ] } @@ -26310,8 +27227,8 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -26322,13 +27239,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" } ] } @@ -26340,8 +27257,8 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -26352,13 +27269,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" } ] } @@ -26370,8 +27287,8 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -26382,13 +27299,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -26400,8 +27317,8 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" @@ -26412,13 +27329,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -26430,8 +27347,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -26442,13 +27359,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -26460,8 +27377,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -26472,13 +27389,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -26490,8 +27407,8 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -26502,13 +27419,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -26520,8 +27437,8 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -26537,8 +27454,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -26550,8 +27470,8 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -26567,8 +27487,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_resource.resource", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -26580,8 +27502,8 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -26597,8 +27519,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -26610,8 +27535,8 @@ }, { "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26627,7 +27552,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", "is present": "true" } ] @@ -26640,8 +27565,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26657,7 +27582,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -26670,8 +27595,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26687,7 +27612,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", "is present": "true" } ] @@ -26700,8 +27625,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26717,7 +27642,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -26730,8 +27655,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26739,11 +27664,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" + } + ] } ] } @@ -26753,20 +27685,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "is present": "true" + } + ] } ] } @@ -26776,8 +27715,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26788,18 +27727,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -26811,8 +27745,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26823,18 +27757,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.oauth_authorization_server.issuer", + "is present": "true" } ] } @@ -26846,8 +27775,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26858,13 +27787,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + "check": "$.metadata.oauth_authorization_server.jwks", + "is present": "true" } ] } @@ -26876,8 +27805,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26888,13 +27817,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -26906,8 +27835,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26918,13 +27847,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "is present": "true" } ] } @@ -26936,8 +27865,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26948,13 +27877,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "is present": "true" } ] } @@ -26966,8 +27895,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -26978,13 +27907,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -26996,8 +27925,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -27008,13 +27937,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -27026,8 +27955,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -27038,13 +27967,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.oauth_resource.resource", + "is present": "true" } ] } @@ -27056,8 +27985,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -27068,13 +27997,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.oauth_authorization_server.response_types_supported", + "is present": "true" } ] } @@ -27086,8 +28015,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -27098,13 +28027,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.oauth_authorization_server.scopes_supported", + "is present": "true" } ] } @@ -27116,8 +28045,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -27128,13 +28057,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.oauth_authorization_server.token_endpoint", + "is present": "true" } ] } @@ -27146,8 +28075,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -27158,13 +28087,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -27176,8 +28105,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -27188,13 +28117,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } @@ -27446,8 +28375,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -27455,12 +28384,58 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_AA" + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-correct-content-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-correct-content-type.json new file mode 100644 index 0000000..8fa5856 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-correct-content-type.json @@ -0,0 +1,33 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-correct-http-code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-correct-http-code.json new file mode 100644 index 0000000..84e3d97 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-correct-http-code.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-exp-type.json new file mode 100644 index 0000000..ff212cf --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-exp-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-exp.json new file mode 100644 index 0000000..26340e6 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-exp.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-exposed.json new file mode 100644 index 0000000..5259b66 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-exposed.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-iat-type.json new file mode 100644 index 0000000..a18e523 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-iat-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-iat.json new file mode 100644 index 0000000..508e48c --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-iat.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-iss.json new file mode 100644 index 0000000..a263449 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-iss.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-issue.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-issue.json new file mode 100644 index 0000000..4b26939 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-issue.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-jwks.json new file mode 100644 index 0000000..96d4ae0 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-jwks.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-federation_entity-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-federation_entity-once.json new file mode 100644 index 0000000..8bdf183 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-federation_entity-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json new file mode 100644 index 0000000..5bd30a7 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-oauth_resource-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-oauth_resource-once.json new file mode 100644 index 0000000..c3abbb3 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-oauth_resource-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-openid_provider-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-openid_provider-once.json new file mode 100644 index 0000000..acac243 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-openid_provider-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-openid_relying_party-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-openid_relying_party-once.json new file mode 100644 index 0000000..3fa5583 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-openid_relying_party-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-type.json new file mode 100644 index 0000000..d199769 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-value.json similarity index 59% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-value.json index efd2e4b..c4a4c4e 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-metadata-value.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata-value.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -25,7 +25,7 @@ { "in": "payload", "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata.json new file mode 100644 index 0000000..abfb438 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-metadata.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-sub-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-sub-value.json similarity index 96% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-sub-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-sub-value.json index 58d2f88..831a97e 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/OP-Entity Configuration response-sub-value.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-sub-value.json @@ -25,7 +25,7 @@ { "in": "payload", "check": "$.sub", - "is": "X_url_OP" + "is": "X_key_OP" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-sub.json new file mode 100644 index 0000000..7b02f8b --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Entity Configuration response-sub.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Resolve Entity Statement endpoint response-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Resolve Entity Statement endpoint response-exposed.json new file mode 100644 index 0000000..2fb4169 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/ALL-Resolve Entity Statement endpoint response-exposed.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json index f86062c..e7dca51 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP.json @@ -7,861 +7,960 @@ "tests": [ { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + "session": "s1", + "action": "start" + }, { - "message type": "Entity Configuration response OP", - "checks": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Revocation response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token response", - "checks": [ + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the client_id parameter", + "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + "session": "s1", + "action": "start" + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "" + }, { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported[0]", - "is in": [ - "automatic" - ] + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] - } - ] + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + "session": "s1", + "action": "start" + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "" + }, { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] - } - ] + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", + "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the nonce parameter", + "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the scope parameter", + "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" - ] + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the state parameter", + "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] + "jwt from": "payload", + "jwt edit": "$.state", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", + "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", + "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", + "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] + "jwt from": "payload", + "jwt edit": "$.code_challenge_method", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", + "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", - "is in": [ - "private_key_jwt" - ] + "jwt from": "payload", + "jwt edit": "$.code_challenge", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", + "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", + "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681723540" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "jwt from": "payload", + "jwt edit": "$.nonce", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", + "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", + "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "example" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "unsupported_response_type" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", + "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.scope", + "value": "example" + }, + { + "jwt sign": "X_key_RP" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", "checks": [ { "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_scope" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP refuse wrongly signed Authentication Requests", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", + "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", + "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", "type": "active", "sessions": [ "s1" @@ -883,7 +982,12 @@ "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.state", + "value": "19az" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -901,21 +1005,21 @@ }, { "in": "head", - "check": "unauthorized_client" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", + "name": "Does the OP refuse Authentication Requests without the acr_values parameter", + "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { @@ -926,15 +1030,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.acr_values", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -944,26 +1053,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Introspection response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", + "in": "head", "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP verify the signature of the client assertion in the Revocation request", - "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", + "name": "Does the OP refuse Authentication Requests without the aud parameter", + "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", "type": "active", "sessions": [ "s1" @@ -977,15 +1086,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -995,26 +1109,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", + "in": "head", "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the token response to a token request made with a wrong signature return a Token Error response", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", + "name": "Does the OP refuse Authentication Requests without the claims parameter", + "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", "type": "active", "sessions": [ "s1" @@ -1028,15 +1142,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.claims", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -1046,26 +1165,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", + "in": "head", "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", - "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", + "name": "Does the OP refuse Authentication Requests without the exp parameter", + "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", "type": "active", "sessions": [ "s1" @@ -1079,15 +1198,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "edits": [ { - "jwt sign": "X_wrong_key" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -1097,26 +1221,26 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", + "in": "head", "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", + "name": "Does the OP refuse Authentication Requests without the iat parameter", + "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", "type": "active", "sessions": [ "s1" @@ -1130,17 +1254,20 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } @@ -1150,1251 +1277,2248 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", - "decode operations": [ + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "saved_iss" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "decode operations": [ + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.jwks", - "is present": "true" - } - ] + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the iss parameter", + "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", - "is present": "true" - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + "session": "s1", + "action": "start" + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", - "decode operations": [ + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the prompt parameter", + "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.prompt", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the claims_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", + "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.claims_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests without the response_type parameter", + "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.response_type", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP refuse an RP without trusted Trust Marks", + "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.trust_marks", + "value": "" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the OP correctly validate the trust chain of an RP authentication request", + "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.authority_hints", + "value": "https://www.wrongsite.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_client" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", + "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.client_id", + "value": "https://www.example.com/" + }, { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", + "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse Authentication Request with a wrong redirect URI", + "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.redirect_uri", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication error response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.aud[0]", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", - "type": "passive", + "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", + "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "example" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Introspection response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "head", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.jti", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", - "type": "passive", + "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", + "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "abc" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.aud", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.exp", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iat", + "value": "1681716340" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" + } + ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", - "is present": "true" + "jwt from": "payload", + "jwt edit": "$.iss", + "value": "https://www.example.com/" + }, + { + "jwt sign": "X_key_core_RP" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Configuration response OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, { "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", - "type": "passive", + "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", + "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt edit": "$.sub", + "value": "https://www.example.com" + }, + { + "jwt sign": "X_key_core_RP" + } + ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Authentication response", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", "checks": [ { "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + }, + { + "in": "body", + "check": "invalid_request" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "checks": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", "is present": "true" } ] @@ -2405,19 +3529,19 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "checks": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", "is present": "true" } ] @@ -2428,19 +3552,19 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Revocation response", "checks": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", "is present": "true" } ] @@ -2451,34 +3575,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -2488,31 +3598,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -2522,28 +3621,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the Introspection Endpoint Response have the active parameter", + "description": "To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Introspection response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "active" } ] } @@ -2553,28 +3644,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the Introspection Endpoint returns true on active tokens", + "description": "To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Introspection response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.cty", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "\"active\": true" } ] } @@ -2584,28 +3667,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.enc", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -2615,28 +3690,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.kid", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -2646,29 +3713,20 @@ }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -2678,32 +3736,20 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -2713,32 +3759,20 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -2748,32 +3782,20 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -2783,32 +3805,20 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -2818,26 +3828,31 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" ] } ] @@ -2850,29 +3865,28 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -2885,8 +3899,8 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", - "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", + "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", + "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", "type": "active", "sessions": [ "s1" @@ -2894,25 +3908,18 @@ "operations": [ { "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "header", - "jwt edit": "alg", - "value": "none" - } - ] + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "message operations": [ + { + "from": "body", + "edit": "(?<=token=)([^&]+)", + "in": "123.123.123" } ] }, @@ -2920,43 +3927,46 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Authentication error response", + "message type": "Revocation response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2968,25 +3978,26 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "in": "header", + "check": "$.cty", + "is": "JWT" } ] } @@ -2998,8 +4009,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -3015,8 +4026,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.sub", + "is": "X_key_OP" } ] } @@ -3028,8 +4039,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3045,8 +4056,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" } ] } @@ -3058,8 +4069,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3070,13 +4081,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" } ] } @@ -3088,8 +4099,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3100,13 +4111,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } @@ -3118,55 +4129,53 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP issue refresh tokens even when it is not supposed to", + "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" - } - ] + "in": "body", + "check": "refresh_token", + "is present": false } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "in": "header", + "check": "$.alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -3178,27 +4187,20 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -3208,27 +4210,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -3238,27 +4233,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -3268,8 +4256,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the token response have Cache-Control set to 'no-store'", + "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", "type": "passive", "sessions": [ "s1" @@ -3277,18 +4265,11 @@ "operations": [ { "message type": "Token response", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" - } - ] + "in": "head", + "check param": "Cache-Control", + "contains": "no-store" } ] } @@ -3298,25 +4279,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -3328,25 +4311,30 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3358,25 +4346,30 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3388,25 +4381,30 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3418,25 +4416,30 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3448,25 +4451,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -3478,25 +4483,30 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4990,8 +6000,200 @@ }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_OP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "jwt check sig": "X_key_core_OP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "jwt check sig": "X_key_core_OP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" @@ -5007,8 +6209,8 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_OP" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" } ] } @@ -5020,8 +6222,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" @@ -5032,13 +6234,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" } ] } @@ -5050,8 +6252,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -5062,13 +6264,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported.value", - "is": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -5080,8 +6282,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -5097,8 +6299,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } @@ -5110,50 +6312,55 @@ }, { "test": { - "name": "Does the OP issue refresh tokens even when it is not supposed to", - "description": "In this test an RP makes an authentication request with an arbitrary scope that differs from 'offline_access'. Once received the code, the RP tries to exchange it in the token endpoint and the response must not contain the refresh token.", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "refresh_token", - "is present": false + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + } + ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -5165,25 +6372,25 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -5195,25 +6402,25 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -5225,25 +6432,25 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -5255,25 +6462,25 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -5285,25 +6492,25 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -5315,25 +6522,25 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.authority_hints", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -5345,25 +6552,25 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -5375,8 +6582,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" @@ -5387,13 +6594,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } @@ -5405,8 +6612,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", "type": "passive", "sessions": [ "s1" @@ -5417,13 +6624,13 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } @@ -5435,25 +6642,29 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.typ", - "is present": "true" + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -5465,25 +6676,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" + ] } ] } @@ -5495,25 +6708,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", - "is present": "true" + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] } ] } @@ -5525,25 +6740,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -5555,25 +6773,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -5585,25 +6806,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -5615,25 +6839,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -5645,25 +6872,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is present": "true" + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } @@ -5675,25 +6904,28 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -5705,25 +6937,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -5735,25 +6970,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" + ] } ] } @@ -5765,25 +7003,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", - "is present": "true" + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" + ] } ] } @@ -5795,25 +7035,27 @@ }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.at_hash", - "is present": "true" + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" + ] } ] } @@ -5825,25 +7067,30 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -5855,25 +7102,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" + ] } ] } @@ -5885,25 +7134,27 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] } ] } @@ -5915,25 +7166,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -5945,25 +7199,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -5975,25 +7232,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -6005,25 +7265,28 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -6035,20 +7298,31 @@ }, { "test": { - "name": "Does the Introspection Endpoint Response have the active parameter", - "description": "To test that the Introspection response of the OP's correctly answers to valid tokens, a valid one is sent and the response is analyzed. It must contain the 'active' parameter", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "active" + "from": "body", + "decode regex": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] + } + ] } ] } @@ -6058,20 +7332,28 @@ }, { "test": { - "name": "Does the Introspection Endpoint returns true on active tokens", - "description": "To test that the Introspection response of the OP's correctly identifies valid tokens, a valid one is sent and the response is analyzed", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "\"active\": true" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is present": "true" + } + ] } ] } @@ -6081,20 +7363,28 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.cty", + "is present": "true" + } + ] } ] } @@ -6104,20 +7394,28 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.enc", + "is present": "true" + } + ] } ] } @@ -6127,20 +7425,28 @@ }, { "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -6150,20 +7456,27 @@ }, { "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "expires_in" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.jwks", + "is present": "true" + } + ] } ] } @@ -6173,20 +7486,27 @@ }, { "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "id_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.acr_values_supported", + "is present": "true" + } + ] } ] } @@ -6196,20 +7516,27 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_endpoint", + "is present": "true" + } + ] } ] } @@ -6219,20 +7546,27 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" + } + ] } ] } @@ -6242,8 +7576,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -6254,9 +7588,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_OP" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.claims_parameter_supported", + "is present": "true" + } + ] } ] } @@ -6266,21 +7606,27 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.claims_supported", + "is present": "true" + } + ] } ] } @@ -6290,21 +7636,27 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_core_OP" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.client_registration_types_supported", + "is present": "true" + } + ] } ] } @@ -6314,31 +7666,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "is present": "true" } ] } @@ -6350,20 +7696,27 @@ }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check": "Content-Type", - "is": "application/json" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" + } + ] } ] } @@ -6373,20 +7726,27 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "token_type", - "is": "Bearer" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" + } + ] } ] } @@ -6396,26 +7756,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.cty", - "is": "JWT" + "in": "payload", + "check": "$.metadata.openid_provider.grant_types_supported", + "is present": "true" } ] } @@ -6427,20 +7786,27 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "code" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" + } + ] } ] } @@ -6450,20 +7816,27 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -6473,20 +7846,27 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check param": "Location", - "contains": "state" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "is present": "true" + } + ] } ] } @@ -6496,20 +7876,27 @@ }, { "test": { - "name": "Does the token response have Cache-Control set to 'no-store'", - "description": "This test verifies the presence of Cache-Control set to 'no-store' in the token response.", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check param": "Cache-Control", - "contains": "no-store" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -6519,40 +7906,27 @@ }, { "test": { - "name": "Does the OP's revocation endpoint answer correctly when a non-existing token is provided", - "description": "A request to the Revocation endpoint containing a non-existing token is sent and the response analyzed", - "type": "active", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "message operations": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { "from": "body", - "edit": "(?<=token=)([^&]+)", - "in": "123.123.123" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.introspection_endpoint", + "is present": "true" + } + ] } ] } @@ -6562,30 +7936,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is present": "true" } ] } @@ -6597,30 +7966,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -6632,2696 +7996,1646 @@ }, { "test": { - "name": "Does the OP refuse Authentication Requests with an aud parameter that does not contain its identifier", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter in the JWT that does not contains its identifier and the response of the OP is analyzed", - "type": "active", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the client_id parameter", - "description": "The 'client_id' parameter in an authentication request's JWT identifies the RP sending the request. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent without the client_id in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the code_challenge_method parameter", - "description": "The 'code_challenge_method' parameter in an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent without code_challenge_method and the answer is analyzed", - "type": "active", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the nonce parameter", - "description": "If the nonce in the request is missing, than a control about the freshness of the request/response is missing. In this test an authorization request without the nonce parameter in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the scope parameter", - "description": "An Authentication Request is sent without the scope parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported", + "is present": "true" } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the state parameter", - "description": "The state parameter identifies the session in the RP side, if this value is missing, than no control about the session is done. In this test an authorization request without the state parameter in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the acr_values parameter wrong or not present in its metadata", - "description": "In this test an authorization request is sent with a acr_values parameter wrongly set in the JWT and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong claims parameter", - "description": "In this test an authorization request is sent with a claims parameter in the JWT which contains not supported values and the response is analyzed", - "type": "active", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the code_challenge_method parameter wrong or not present in its metadata", - "description": "The 'code_challenge_method' parameter in the JWT of an authentication request says to the OP how to verify the code_challenge when receiving the token request. If one request has a wrong code_challenge_method, than the OP will not be able to verify this parameter. In order to test the OP's behavior, an Authenticaton request is sent with a wrong code_challenge_method (a method not present in the OP's metadata) and the answer is analyzed", - "type": "active", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge_method", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with wrong code_challenge parameter", - "description": "The 'code_challenge' parameter in an authentication request is part of the PKCE protocol and is useful against various attacks. In order to test if the OP checks this parameter, an authorization request is sent with wrong code_challenge in the JWT and the answer is analyzed", - "type": "active", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.code_challenge", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.subject_types_supported", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong exp parameter", - "description": "In this test an authorization request with the exp parameter expired in the JWT is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681723540" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iat parameter", - "description": "In this test an authorization request with the iat parameter in the JWT set after the current time is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681723540" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a nonce parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a nonce parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", - "type": "active", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.nonce", - "value": "19az" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong prompt parameter", - "description": "An Authenticaton request is sent with a wrong prompt parameter in the JWT (a value different from 'consent' and 'consent login') and the answer is analyzed", - "type": "active", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the response_type parameter wrong or not present in its metadata", - "description": "An Authentication Request is sent with a response_type parameter in the JWT wrong or not present in the RP's metadata. If the OP refuses the request, than it checks the parameter, otherwise it is not checking it.", - "type": "active", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_endpoint", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check": "unsupported_response_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a value of the scope parameter wrong or not present in its metadata", - "description": "The scope parameter is used by the OP to check which claims to send in the ID Token and/or at the Introspection endpoint. The allowed values are openid, offline_access, profile and email (and combination of them), different values must trigger an error response. So in this test a request with a wrong scope parameter in the JWT is sent and the response analyzed", - "type": "active", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.scope", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_scope" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a state parameter shorter than 32 alphanumeric characters", - "description": "In this test an authorization request with a state parameter in the JWT of a length less than 32 alphanumeric characters is sent and the response analyzed.", - "type": "active", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.state", - "value": "19az" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the acr_values parameter", - "description": "An Authentication Request is sent without the acr_values parameter in JWT and the response analyzed.", - "type": "active", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.acr_values", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the aud parameter", - "description": "The aud parameter identifies subjects of that request. An entity whose identifier is not in the audience of the request should refuse that request. In this test an authorization request is sent to the OP with an aud parameter that does not contains its identifier and the response of the OP is analyzed", - "type": "active", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the claims parameter", - "description": "An Authentication Request is sent without the claims parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.claims", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the exp parameter", - "description": "An Authentication Request is sent without the exp parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iat parameter", - "description": "An Authentication Request is sent without the iat parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the iss parameter", - "description": "An Authentication Request is sent without the iss parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.authority_hints", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the prompt parameter", - "description": "An Authenticaton request is sent without the prompt parameter in the JWT and the response is analyzed", - "type": "active", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.prompt", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the redirect_uri parameter", - "description": "An Authentication Request is sent without the redirect_uri parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "header", + "check": "$.alg", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests without the response_type parameter", - "description": "An Authentication Request is sent without the response_type parameter in JWT and the response is analyzed", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.response_type", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "header", + "check": "$.typ", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse an RP without trusted Trust Marks", - "description": "In this test the RP sends an authentication request to the OP, which will ask for the RP's Entity Configuration. The RP must send an Entity Configuration without trusted Trust Marks (Trust Marks issued by an entity not present in the Federation Configuration or no Trust Marks) and if the OP's response is analyzed", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.trust_marks", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.aud", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly validate the trust chain of an RP authentication request", - "description": "When an OP receives an authentication request, it must proceed with an Entity Configuration request toward the RP. The received Entity Configuration must be verified through the Entity Statement released by a parent entity of the RP and this process must be repeated until the Trust Anchor. In order to verify if the OP validates this trust chain, the authority_hints in the Entity Configuration of the RP could contain wrong values. If the OP validates the request anyway, it is not compliant with the specification", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.authority_hints", - "value": "https://www.wrongsite.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.client_id", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_client" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP correctly reject an invalid client_id parameter in an intercepted Authentication Request", - "description": "This test aims to check if the OP checks the correctness of the client_id parameter. The client id value contained must contain an URL identifying the RP, so in this test the Authentication Request is intercepted, the request parameter is decrypted, the client_id in it modified with a random (and invalid) one, the JWT re-encrypted, the signature re-calculated and sent. The OP should check the parameter and, seen that it is an invalid one, refuse the authentication request.", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.client_id", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Requests with a wrong iss parameter", - "description": "The 'iss' parameter in the JWT of an authentication request says who sent the request. If one request has a wrong iss, than it could be forwarded by a malicious user, so the iss must be checked. In order to test this behavior in the OP, an Authenticaton request is sent with a wrong iss (not the RP's client id) and the answer is analyzed", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse Authentication Request with a wrong redirect URI", - "description": "Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.redirect_uri", - "value": "https://www.example.com/" - }, + "checks": [ { - "jwt sign": "X_key_RP" + "in": "payload", + "check": "$.jti", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication error response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s302" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of aud of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the aud parameter", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud[0]", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.scope", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the exp parameter", - "type": "active", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iat parameter", - "type": "active", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "header", + "check": "$.alg", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the iss parameter", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "header", + "check": "$.kid", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.acr", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of jti of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the jti parameter", - "type": "active", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.at_hash", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the presence of sub of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and remove the sub parameter", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.aud", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of exp of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the exp of it in order to make it wrong", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iat of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the iat of it in order to make it wrong", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP verify the value of iss of the client_assertion in the Introspection request", - "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the sub to make it different from the iss parameter", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "example" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Introspection response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "head", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.jti", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong aud parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong aud parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.nonce", + "is present": "true" } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Entity Configuration response OP", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong exp parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong exp parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "abc" - }, - { - "jwt sign": "X_key_core_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Resolve Entity Statement response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" - } - ] + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iat parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iat parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "abc" - }, - { - "jwt sign": "X_key_core_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the iss parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "UserInfo response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong iss parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong iss parameter in it. The response is analyzed; the OP should refuse it", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload equals to the URL of the OP", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'iss' parameter is checked equals to the URL of the OP", "type": "active", "sessions": [ "s1" @@ -9335,20 +9649,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "edits": [ { "jwt from": "payload", - "jwt edit": "$.iss", - "value": "abc" - }, - { - "jwt sign": "X_key_core_RP" + "jwt save": "$.iss", + "as": "saved_iss" } ] } @@ -9358,250 +9669,195 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "Token response", + "decode operations": [ { - "in": "body", - "check": "invalid_request" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "saved_iss" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the jti parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the jti parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.jti", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" - } - ] + "in": "head", + "check": "Content-Type", + "is": "application/json" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", + "message type": "Token response", "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, { "in": "body", - "check": "invalid_request" + "check": "token_type", + "is": "Bearer" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests without the sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) without the sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, + "message type": "UserInfo response", + "checks": [ { - "in": "body", - "check": "invalid_request" + "in": "head", + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the OP refuse revocation requests with a wrong sub parameter in the client_assertion", - "description": "A revocation request is made with a client_assetion parameter (JWT) with a wrong sub parameter in it. The response is analyzed; the OP should refuse it", - "type": "active", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "abc" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter not containing iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is missing.", - "type": "active", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "" - }, + "checks": [ { - "jwt sign": "X_key_core_RP" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" - }, - { - "in": "body", - "check": "invalid_request" - } - ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion field not containing sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is missing", + "name": "Does the OP refuse Authentication Requests signed with a non-asymmetric method", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: If the OP is not able to decrypt the signature, than the public key of the RP is wrong or, otherwise, the algorithm used is not known. If, instead, the OP is able to decrypt the signature, it can mean that the public key is correct and the algorithm known, or that the RP used a symmetric algorithm and the RP's key is the same key used to sign the JWT. In the latter case the confidentiality and integrity of the message cannot be trusted. In this case, the OP must check the 'alg' parameter in the JWT Header and, if it corresponds to a symmetric algorithm or to 'none', it must refuse the authentication request. In order to accomplish this test, a crafted RP could set in its metadata a symmetric key, use it to sign the JWT and send an Authentication Request. Another way to accomplish the test is by intercepting the request, changing the parameter and the signature.", "type": "active", "sessions": [ "s1" @@ -9615,20 +9871,17 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "" - }, - { - "jwt sign": "X_key_core_RP" + "jwt from": "header", + "jwt edit": "alg", + "value": "none" } ] } @@ -9638,14 +9891,14 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", + "in": "head", "check": "invalid_request" } ] @@ -9656,8 +9909,8 @@ }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong aud claim not containing the OP's Token endpoint in JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the aud claim does not contain the OP's Token endpoint", + "name": "Does the OP refuse wrongly signed Authentication Requests", + "description": "This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.", "type": "active", "sessions": [ "s1" @@ -9671,20 +9924,15 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.aud", - "value": "https://www.example.com" - }, - { - "jwt sign": "X_key_core_RP" + "jwt sign": "X_wrong_key" } ] } @@ -9694,29 +9942,29 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Authentication error response", "checks": [ { "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s400" + "check regex": "HTTP/?\\d?\\.?\\d?\\s302" }, { - "in": "body", - "check": "invalid_request" + "in": "head", + "check": "unauthorized_client" } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong exp claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the exp claim is wrong", + "name": "Does the OP verify the signature of the client assertion in the Introspection request", + "description": "Since the OP has to verify the client assertion in the Introspection Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", "type": "active", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { @@ -9727,7 +9975,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Introspection request", "decode operations": [ { "from": "body", @@ -9735,12 +9983,7 @@ "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.exp", - "value": "1681716340" - }, - { - "jwt sign": "X_key_core_RP" + "jwt sign": "X_wrong_key" } ] } @@ -9750,7 +9993,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Introspection response", "checks": [ { "in": "head", @@ -9763,13 +10006,13 @@ ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iat claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular, the iat claim is wrong", + "name": "Does the OP verify the signature of the client assertion in the Revocation request", + "description": "Since the OP has to verify the client assertion in the Revocation Request, this test consist in intercepting a legitimate request, take the JWT of the client assertion and modify the signature of it in order to make it wrong. If the OP Accepts the request anyway, than it does not verify the signature of the assertion.", "type": "active", "sessions": [ "s1" @@ -9783,7 +10026,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token request", + "message type": "Revocation request", "decode operations": [ { "from": "body", @@ -9791,12 +10034,7 @@ "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.iat", - "value": "1681716340" - }, - { - "jwt sign": "X_key_core_RP" + "jwt sign": "X_wrong_key" } ] } @@ -9806,7 +10044,7 @@ "action": "intercept", "from session": "s1", "then": "forward", - "message type": "Token response", + "message type": "Revocation response", "checks": [ { "in": "head", @@ -9819,13 +10057,13 @@ ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong iss claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the iss claim is not set to the RP's client ID", + "name": "Does the token response to a token request made with a wrong signature return a Token Error response", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the client_assertion parameter is taken and the signature is substitute with a wrong one. The OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -9847,12 +10085,7 @@ "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.iss", - "value": "https://www.example.com/" - }, - { - "jwt sign": "X_key_core_RP" + "jwt sign": "X_wrong_key" } ] } @@ -9875,13 +10108,13 @@ ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does the token response to a token request made with a client_assertion parameter containing a wrong sub claim in the JWT return a Token Error response", - "description": "In this test the Token Request's 'client_assertion' field is set to a wrong JWT. In particular the sub claim is not set to the RP's client ID", + "name": "Does the OP's token endpoint refuse assertions signed with a wrong key", + "description": "In this test a classic flow is accomplished and, when exchanging the code for an access token, the signature is done with a wrong key. The OP's response is analyzed", "type": "active", "sessions": [ "s1" @@ -9903,12 +10136,7 @@ "type": "jwt", "edits": [ { - "jwt from": "payload", - "jwt edit": "$.sub", - "value": "https://www.example.com" - }, - { - "jwt sign": "X_key_core_RP" + "jwt sign": "X_wrong_key" } ] } @@ -9931,39 +10159,6 @@ ] } ], - "result": "assert_only" - } - }, - { - "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Token response", - "decode operations": [ - { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] - } - ] - } - ], "result": "correct flow s1" } } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json index 5a6daa4..5025498 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/OP/All_OP_Passive.json @@ -5,6 +5,201 @@ "filter messages": true }, "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { "name": "Does the entity return a correct HTTP code in the EC response", @@ -122,31 +317,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -156,29 +340,20 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported[0]", - "is in": [ - "automatic" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -188,29 +363,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -220,30 +386,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -253,30 +409,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -286,30 +432,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -319,30 +455,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "head", + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -352,26 +478,31 @@ }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", + "in": "header", + "check": "$.alg", "is in": [ - "X_url_OP" + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" ] } ] @@ -384,27 +515,28 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "in": "header", + "check": "$.enc", "is in": [ - "RS256", - "RS512" + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -417,27 +549,30 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -450,28 +585,26 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" - ] + "in": "header", + "check": "$.cty", + "is": "JWT" } ] } @@ -483,8 +616,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -495,15 +628,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] + "check": "$.sub", + "is": "X_key_OP" } ] } @@ -515,8 +646,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -527,15 +658,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" } ] } @@ -547,8 +676,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -559,18 +688,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" } ] } @@ -582,8 +706,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -594,15 +718,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } @@ -614,26 +736,27 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "in": "header", + "check": "$.alg", "is in": [ - "private_key_jwt" + "RS256", + "RS512" ] } ] @@ -646,30 +769,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -679,30 +792,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -712,30 +815,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -745,8 +838,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -757,15 +850,14 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" ] } ] @@ -778,28 +870,29 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -812,8 +905,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -821,12 +914,23 @@ "operations": [ { "message type": "Entity Configuration response OP", - "checks": [ + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -836,21 +940,32 @@ }, { "test": { - "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", - "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] } ] } @@ -860,8 +975,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -872,13 +987,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.jwks", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -890,8 +1010,8 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -902,16 +1022,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", - "is present": "true" - } - ] - } + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] + } + ] + } ] } ], @@ -920,8 +1042,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -932,13 +1054,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -950,8 +1077,8 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -962,15 +1089,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_OP" } ] } @@ -980,27 +1101,21 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -1010,27 +1125,21 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.claims_supported", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -1040,8 +1149,8 @@ }, { "test": { - "name": "Does the OP metadata contain the client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -1052,13 +1161,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -1070,8 +1179,8 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1082,13 +1191,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1100,8 +1209,8 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1112,13 +1221,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1130,8 +1239,8 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -1142,13 +1251,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1160,8 +1269,8 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" @@ -1172,13 +1281,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" } ] } @@ -1190,8 +1299,8 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" @@ -1202,13 +1311,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" } ] } @@ -1220,8 +1329,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -1232,13 +1341,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1250,8 +1359,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1262,13 +1371,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" } ] } @@ -1280,8 +1389,8 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -1292,13 +1401,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -1310,25 +1419,25 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -1340,25 +1449,25 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -1370,25 +1479,25 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1400,25 +1509,25 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1430,25 +1539,25 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -1460,25 +1569,25 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -1490,25 +1599,25 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1520,25 +1629,25 @@ }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1550,25 +1659,25 @@ }, { "test": { - "name": "Does the OP metadata contain the request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } @@ -1580,25 +1689,25 @@ }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } @@ -1610,8 +1719,8 @@ }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", "type": "passive", "sessions": [ "s1" @@ -1627,8 +1736,12 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", - "is present": "true" + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -1640,8 +1753,8 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1657,8 +1770,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" + ] } ] } @@ -1670,8 +1785,8 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", "type": "passive", "sessions": [ "s1" @@ -1687,8 +1802,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] } ] } @@ -1700,8 +1817,8 @@ }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", "type": "passive", "sessions": [ "s1" @@ -1717,8 +1834,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", - "is present": "true" + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -1730,8 +1850,8 @@ }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -1747,8 +1867,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -1760,8 +1883,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -1777,8 +1900,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -1790,8 +1916,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1807,8 +1933,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -1820,8 +1949,8 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" @@ -1837,8 +1966,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } @@ -1850,8 +1981,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -1867,8 +1998,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -1880,8 +2014,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1897,8 +2031,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -1910,8 +2047,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" @@ -1927,8 +2064,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" + ] } ] } @@ -1940,8 +2080,8 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" @@ -1957,8 +2097,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" + ] } ] } @@ -1970,8 +2112,8 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" @@ -1987,8 +2129,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", - "is present": "true" + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" + ] } ] } @@ -2000,8 +2144,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" @@ -2009,11 +2153,23 @@ "operations": [ { "message type": "Entity Configuration response OP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" + ] + } + ] } ] } @@ -2023,20 +2179,29 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" + ] + } + ] } ] } @@ -2046,20 +2211,29 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] + } + ] } ] } @@ -2069,20 +2243,30 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -2092,20 +2276,30 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] + } + ] } ] } @@ -2115,20 +2309,30 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -2138,31 +2342,27 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response OP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" + "RS256", + "RS512" ] } ] @@ -2175,28 +2375,28 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Token response", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", + "in": "payload", + "check": "$.acr", "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" ] } ] @@ -2333,8 +2533,8 @@ }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", "type": "passive", "sessions": [ "s1" @@ -2345,15 +2545,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.jwks", + "is present": "true" } ] } @@ -2365,8 +2563,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2377,18 +2575,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.acr_values_supported", + "is present": "true" } ] } @@ -2400,8 +2593,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -2412,18 +2605,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.authorization_endpoint", + "is present": "true" } ] } @@ -2435,8 +2623,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2447,18 +2635,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } @@ -2470,8 +2653,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2482,18 +2665,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.claims_parameter_supported", + "is present": "true" } ] } @@ -2505,8 +2683,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2517,15 +2695,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_provider.claims_supported", + "is present": "true" } ] } @@ -2537,8 +2713,8 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2549,18 +2725,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_provider.client_registration_types_supported", + "is present": "true" } ] } @@ -2572,8 +2743,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -2584,13 +2755,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.code_challenge_methods_supported", + "is present": "true" } ] } @@ -2602,8 +2773,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2614,13 +2785,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -2632,8 +2803,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2644,13 +2815,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -2662,8 +2833,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -2674,13 +2845,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "check": "$.metadata.openid_provider.grant_types_supported", + "is present": "true" } ] } @@ -2692,8 +2863,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2704,13 +2875,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -2722,8 +2893,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -2734,13 +2905,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "is present": "true" } ] } @@ -2752,8 +2923,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -2764,13 +2935,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "is present": "true" } ] } @@ -2782,8 +2953,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -2794,13 +2965,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "is present": "true" } ] } @@ -2812,8 +2983,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -2824,13 +2995,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_provider.introspection_endpoint", + "is present": "true" } ] } @@ -2842,25 +3013,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + "check": "$.metadata.openid_provider.issuer", + "is present": "true" } ] } @@ -2872,25 +3043,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -2902,25 +3073,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -2932,25 +3103,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -2962,25 +3133,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } @@ -2992,25 +3163,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "is present": "true" } ] } @@ -3022,25 +3193,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "is present": "true" } ] } @@ -3052,25 +3223,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.request_parameter_supported", + "is present": "true" } ] } @@ -3082,25 +3253,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.metadata.openid_provider.response_modes_supported", + "is present": "true" } ] } @@ -3112,25 +3283,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + "check": "$.metadata.openid_provider.response_types_supported", + "is present": "true" } ] } @@ -3142,8 +3313,8 @@ }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -3154,13 +3325,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_OP" + "check": "$.metadata.openid_provider.revocation_endpoint", + "is present": "true" } ] } @@ -3172,8 +3343,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3184,13 +3355,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -3202,8 +3373,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3214,13 +3385,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_provider.scopes_supported", + "is present": "true" } ] } @@ -3232,8 +3403,8 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3244,13 +3415,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_provider.subject_types_supported", + "is present": "true" } ] } @@ -3262,8 +3433,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -3274,12 +3445,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.openid_provider.token_endpoint", "is present": "true" } ] @@ -3292,8 +3463,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3304,12 +3475,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", "is present": "true" } ] @@ -3322,8 +3493,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -3334,12 +3505,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", "is present": "true" } ] @@ -3352,8 +3523,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3364,12 +3535,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", "is present": "true" } ] @@ -3382,8 +3553,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3394,12 +3565,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", "is present": "true" } ] @@ -3412,8 +3583,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" @@ -3424,12 +3595,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.openid_provider.userinfo_endpoint", "is present": "true" } ] @@ -3442,8 +3613,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" @@ -3454,12 +3625,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.authority_hints", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", "is present": "true" } ] @@ -3472,8 +3643,8 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" @@ -3484,12 +3655,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.openid_provider.signed_jwks_uri", "is present": "true" } ] @@ -3502,24 +3673,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.exp", "is present": "true" } ] @@ -3532,24 +3703,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.iat", "is present": "true" } ] @@ -3562,24 +3733,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.typ", + "in": "payload", + "check": "$.iss", "is present": "true" } ] @@ -3592,24 +3763,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.jwks", "is present": "true" } ] @@ -3622,24 +3793,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.metadata", "is present": "true" } ] @@ -3652,24 +3823,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.sub", "is present": "true" } ] @@ -3682,24 +3853,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.authority_hints", "is present": "true" } ] @@ -3712,24 +3883,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.trust_marks", "is present": "true" } ] @@ -3742,8 +3913,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" @@ -3758,8 +3929,8 @@ "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.jti", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -3772,8 +3943,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -3788,8 +3959,8 @@ "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.scope", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -3802,8 +3973,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", "type": "passive", "sessions": [ "s1" @@ -3818,8 +3989,8 @@ "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.sub", + "in": "header", + "check": "$.typ", "is present": "true" } ] @@ -3832,8 +4003,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -3844,12 +4015,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.aud", "is present": "true" } ] @@ -3862,8 +4033,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -3874,12 +4045,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.client_id", "is present": "true" } ] @@ -3892,8 +4063,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -3904,12 +4075,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", + "check": "$.exp", "is present": "true" } ] @@ -3922,8 +4093,8 @@ }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -3934,12 +4105,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.at_hash", + "check": "$.iat", "is present": "true" } ] @@ -3952,8 +4123,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" @@ -3964,12 +4135,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.iss", "is present": "true" } ] @@ -3982,8 +4153,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -3994,12 +4165,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.jti", "is present": "true" } ] @@ -4012,8 +4183,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" @@ -4024,12 +4195,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.scope", "is present": "true" } ] @@ -4042,8 +4213,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -4054,12 +4225,12 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.sub", "is present": "true" } ] @@ -4072,8 +4243,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" @@ -4088,8 +4259,8 @@ "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.jti", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -4102,8 +4273,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -4118,8 +4289,8 @@ "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.nonce", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -4132,8 +4303,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -4149,7 +4320,7 @@ "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.acr", "is present": "true" } ] @@ -4162,20 +4333,27 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.at_hash", + "is present": "true" + } + ] } ] } @@ -4185,8 +4363,8 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -4194,11 +4372,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -4208,8 +4393,8 @@ }, { "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -4217,11 +4402,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -4231,8 +4423,8 @@ }, { "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -4240,11 +4432,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "expires_in" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -4254,8 +4453,8 @@ }, { "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -4263,11 +4462,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "id_token" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -4277,8 +4483,8 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -4286,11 +4492,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } @@ -4300,20 +4513,27 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.nonce", + "is present": "true" + } + ] } ] } @@ -4323,21 +4543,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "jwt check sig": "X_key_OP" + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -4347,21 +4573,20 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Entity Configuration response OP", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "jwt check sig": "X_key_core_OP" + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4371,21 +4596,20 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "jwt check sig": "X_key_core_OP" + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -4395,33 +4619,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] } @@ -4431,8 +4642,8 @@ }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", "type": "passive", "sessions": [ "s1" @@ -4442,9 +4653,9 @@ "message type": "Token response", "checks": [ { - "in": "head", - "check": "Content-Type", - "is": "application/json" + "in": "body", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -4454,8 +4665,8 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", "type": "passive", "sessions": [ "s1" @@ -4466,8 +4677,8 @@ "checks": [ { "in": "body", - "check": "token_type", - "is": "Bearer" + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -4477,8 +4688,8 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", "type": "passive", "sessions": [ "s1" @@ -4486,19 +4697,11 @@ "operations": [ { "message type": "UserInfo response", - "decode operations": [ + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.cty", - "is": "JWT" - } - ] + "in": "body", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } @@ -4508,20 +4711,20 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", + "message type": "Token response", "checks": [ { "in": "head", - "check param": "Location", - "contains": "code" + "check": "Content-Type", + "is": "application/json" } ] } @@ -4531,20 +4734,20 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", + "message type": "Token response", "checks": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "in": "body", + "check": "token_type", + "is": "Bearer" } ] } @@ -4554,20 +4757,21 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", + "message type": "Entity Configuration response OP", "checks": [ { "in": "head", - "check param": "Location", - "contains": "state" + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -4577,32 +4781,21 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the Content-Type of the UserInfo response set to 'application/jwt'", + "description": "The Content-Type of the UserInfo response must be set to 'application/jwt' ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/jwt", + "check param": "Content-Type" } ] } @@ -4612,8 +4805,8 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -4624,7 +4817,7 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { @@ -4647,8 +4840,8 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" @@ -4659,15 +4852,17 @@ "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "header", "check": "$.alg", - "is in": [ - "RS256", - "RS512" + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json index 483a3a4..2fa2981 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/PASSIVE.json @@ -5,6 +5,201 @@ "filter messages": true }, "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { "name": "Does the entity return a correct HTTP code in the EC response", @@ -15,7 +210,7 @@ ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "checks": [ { "in": "head", @@ -38,7 +233,7 @@ ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "checks": [ { "in": "head", @@ -53,29 +248,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", + "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -85,30 +271,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the OP handle a correct token request", + "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -118,30 +294,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the HTTP status of a token response correct?", + "description": "This test verifies whether the HTTP status of a token response is 200.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -151,30 +317,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the OP verify the HTTP method of the Revocation request", + "description": "The revocation request must be sent via HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -184,30 +340,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the successful token response contain access token", + "description": "The Token response is analyzed and the presence of the access token is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -217,29 +363,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the OP issue the access tokens when requested", + "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "access_token" } ] } @@ -249,30 +386,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the OP issue the expires_in in a token response", + "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "expires_in" } ] } @@ -282,30 +409,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the successful token response contain the ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "id_token" } ] } @@ -315,30 +432,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the successful token response contain the token type", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token_type" } ] } @@ -348,29 +455,20 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the HTTP status code of the UserInfo response is 200", + "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" - ] - } - ] + "in": "head", + "is present": true, + "check param": "HTTP/?\\d?\\.?\\d?\\s200" } ] } @@ -380,21 +478,34 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "UserInfo response", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" + ] + } + ] } ] } @@ -404,25 +515,29 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is present": "true" + "in": "header", + "check": "$.enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -434,25 +549,31 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", + "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", - "is present": "true" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -464,25 +585,26 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "UserInfo response", "decode operations": [ { + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "in": "header", + "check": "$.cty", + "is": "JWT" } ] } @@ -494,25 +616,25 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.sub", + "is": "X_key_OP" } ] } @@ -524,25 +646,25 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", + "is": "true" } ] } @@ -554,25 +676,25 @@ }, { "test": { - "name": "Does the RP metadata contain the 'grant_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", + "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" + "check": "$.metadata.openid_provider.claims_parameter_supported.value", + "is": "true" } ] } @@ -584,25 +706,25 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata.openid_provider.request_parameter_supported.value", + "is": "true" } ] } @@ -614,25 +736,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is present": "true" + "in": "header", + "check": "$.alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -644,27 +769,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "code" } ] } @@ -674,27 +792,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the OP contain iss parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "iss" } ] } @@ -704,27 +815,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", + "name": "Does the OP contain correct state parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" - } - ] + "in": "head", + "check param": "Location", + "contains": "state" } ] } @@ -734,25 +838,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -764,25 +870,30 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -794,25 +905,30 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -824,25 +940,30 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -854,25 +975,30 @@ }, { "test": { - "name": "Does the RP metadata contain the 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -884,25 +1010,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", + "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.signed_jwks_uri", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -914,25 +1042,30 @@ }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -944,27 +1077,21 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is present": "true" - } - ] + "jwt check sig": "X_key_OP" } ] } @@ -974,27 +1101,21 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "name": "Does the OP correctly sign the Access Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -1004,27 +1125,21 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "name": "Does the OP correctly sign the ID Token", + "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_OP" } ] } @@ -1034,25 +1149,25 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -1064,20 +1179,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -1087,20 +1209,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -1110,20 +1239,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] } ] } @@ -1133,20 +1269,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the OP's entity configuration contain a correct authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + } + ] } ] } @@ -1156,20 +1299,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the OP metadata contain correct type issuer parameter", + "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + } + ] } ] } @@ -1179,20 +1329,27 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the OP metadata contain correct type logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] } ] } @@ -1202,20 +1359,27 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + } + ] } ] } @@ -1225,20 +1389,27 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the OP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + } + ] } ] } @@ -1248,27 +1419,25 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" } ] } @@ -1280,25 +1449,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" } ] } @@ -1310,25 +1479,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1340,25 +1509,25 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1370,25 +1539,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", + "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -1400,25 +1569,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", + "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" } ] } @@ -1430,25 +1599,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1460,25 +1629,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=id_token: \")([^\"]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1490,25 +1659,25 @@ }, { "test": { - "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", - "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" } ] } @@ -1520,25 +1689,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" } ] } @@ -1550,25 +1719,29 @@ }, { "test": { - "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", + "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" + "check": "$.metadata.openid_provider.acr_values_supported[0]", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -1580,25 +1753,27 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.openid_provider.client_registration_types_supported[0]", + "is in": [ + "automatic" + ] } ] } @@ -1610,25 +1785,27 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", + "is in": [ + "S256" + ] } ] } @@ -1640,25 +1817,28 @@ }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", - "type": "passive", + "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_provider.grant_types_supported[0]", + "is in": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -1670,25 +1850,28 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -1700,25 +1883,28 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -1730,25 +1916,28 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -1760,25 +1949,27 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the OP metadata contain a correct issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_RP" + "check": "$.metadata.openid_provider.issuer", + "is in": [ + "X_url_OP" + ] } ] } @@ -1790,25 +1981,28 @@ }, { "test": { - "name": "Does the RP metadata contain correct value of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is": "x_https_RP" + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -1820,22 +2014,29 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] + } ] } ] @@ -1846,25 +2047,28 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_provider.response_modes_supported[0]", + "is in": [ + "form_post", + "query" + ] } ] } @@ -1876,25 +2080,27 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the OP metadata contain correct response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata.openid_provider.response_types_supported[0]", + "is in": [ + "code" + ] } ] } @@ -1906,25 +2112,27 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is in": [ + "private_key_jwt" + ] } ] } @@ -1936,25 +2144,30 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the OP metadata contain correct scopes_supported claim", + "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata.openid_provider.scopes_supported[0]", + "is in": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -1966,25 +2179,27 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata.openid_provider.subject_types_supported[0]", + "is in": [ + "pairwise" + ] } ] } @@ -1996,25 +2211,27 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", + "is in": [ + "private_key_jwt" + ] } ] } @@ -2026,25 +2243,28 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", - "is present": "true" + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -2056,25 +2276,28 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -2086,25 +2309,28 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -2116,25 +2342,28 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", - "is present": "true" + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -2146,25 +2375,29 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$.acr", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -2176,24 +2409,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iat", + "in": "header", + "check": "$.alg", "is present": "true" } ] @@ -2206,24 +2440,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.iss", + "in": "header", + "check": "$.cty", "is present": "true" } ] @@ -2236,24 +2471,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.nonce", + "in": "header", + "check": "$.enc", "is present": "true" } ] @@ -2266,24 +2502,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", + "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "UserInfo response", "decode operations": [ { - "from": "url", - "decode param": "request", + "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.prompt", + "in": "header", + "check": "$.kid", "is present": "true" } ] @@ -2296,24 +2533,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.redirect_uri", + "check": "$.metadata.openid_provider.jwks", "is present": "true" } ] @@ -2326,24 +2563,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.response_type", + "check": "$.metadata.openid_provider.acr_values_supported", "is present": "true" } ] @@ -2356,24 +2593,24 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does the OP metadata contain the authorization_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.metadata.openid_provider.authorization_endpoint", "is present": "true" } ] @@ -2386,24 +2623,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.state", + "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", "is present": "true" } ] @@ -2416,24 +2653,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does the OP metadata contain the claims_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response OP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.ui_locales", + "check": "$.metadata.openid_provider.claims_parameter_supported", "is present": "true" } ] @@ -2446,24 +2683,24 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the OP metadata contain the claims_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.openid_provider.claims_supported", "is present": "true" } ] @@ -2476,24 +2713,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does the OP metadata contain the client_registration_types_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata.openid_provider.client_registration_types_supported", "is present": "true" } ] @@ -2506,24 +2743,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.openid_provider.code_challenge_methods_supported", "is present": "true" } ] @@ -2536,24 +2773,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the OP metadata contain the contacts claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -2566,24 +2803,24 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the OP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -2596,24 +2833,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.metadata.openid_provider.grant_types_supported", "is present": "true" } ] @@ -2626,24 +2863,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the OP metadata contain the homepage_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -2656,20 +2893,27 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -2679,43 +2923,57 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" - } - ] - } + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", + "is present": "true" + } + ] + } + ] + } ], "result": "correct flow s1" } }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -2725,20 +2983,27 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the OP metadata contain the introspection_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.introspection_endpoint", + "is present": "true" + } + ] } ] } @@ -2748,20 +3013,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the OP metadata contain the issuer parameter", + "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.issuer", + "is present": "true" + } + ] } ] } @@ -2771,20 +3043,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the OP metadata contain the logo_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" + } + ] } ] } @@ -2794,20 +3073,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the OP metadata contain the organization_name claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" + } + ] } ] } @@ -2817,20 +3103,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the OP metadata contain the policy_uri claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" + } + ] } ] } @@ -2840,20 +3133,27 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the OP metadata contain the request_authentication_methods_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_methods_supported", + "is present": "true" + } + ] } ] } @@ -2863,20 +3163,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -2886,20 +3193,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -2909,20 +3223,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the OP metadata contain the request_parameter_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.request_parameter_supported", + "is present": "true" + } + ] } ] } @@ -2932,20 +3253,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.response_modes_supported", + "is present": "true" + } + ] } ] } @@ -2955,20 +3283,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the OP metadata contain the response_types_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.response_types_supported", + "is present": "true" + } + ] } ] } @@ -2978,20 +3313,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the OP metadata contain the revocation_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint", + "is present": "true" + } + ] } ] } @@ -3001,20 +3343,27 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", + "is present": "true" + } + ] } ] } @@ -3024,20 +3373,27 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the OP metadata contain the scopes_supported claim", + "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.scopes_supported", + "is present": "true" + } + ] } ] } @@ -3047,20 +3403,27 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.subject_types_supported", + "is present": "true" + } + ] } ] } @@ -3070,20 +3433,27 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does the OP metadata contain the token_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint", + "is present": "true" + } + ] } ] } @@ -3093,20 +3463,27 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "grant_type" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", + "is present": "true" + } + ] } ] } @@ -3116,20 +3493,27 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -3139,20 +3523,27 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -3162,21 +3553,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_RP" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", + "is present": "true" + } + ] } ] } @@ -3186,21 +3583,27 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the OP metadata contain the userinfo_endpoint parameter", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_core_RP" + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_endpoint", + "is present": "true" + } + ] } ] } @@ -3210,20 +3613,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", + "is present": "true" + } + ] } ] } @@ -3233,21 +3643,28 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", + "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" - } + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_provider.signed_jwks_uri", + "is present": "true" + } + ] + } ] } ], @@ -3256,20 +3673,27 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -3279,20 +3703,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client_assertion_type", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -3302,20 +3733,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_url_RP" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -3325,20 +3763,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_assertion_type", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -3348,20 +3793,27 @@ }, { "test": { - "name": "Does the client_assertion_type parameter in the token request contain the correct type", - "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "client_assertion_type", - "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] } ] } @@ -3371,20 +3823,27 @@ }, { "test": { - "name": "Does the client_id in the token request identifies the RP", - "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response OP", + "decode operations": [ { - "in": "body", - "check": "client_id", - "is": "X_https_RP" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -3394,30 +3853,25 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the OP's entity configuration contain the authority_hints parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.authority_hints", + "is present": "true" } ] } @@ -3429,27 +3883,25 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the OP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Entity Configuration response OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" - ] + "check": "$.trust_marks", + "is present": "true" } ] } @@ -3461,30 +3913,25 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -3496,30 +3943,25 @@ }, { "test": { - "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", - "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", + "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", + "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.kid", + "is present": "true" } ] } @@ -3531,33 +3973,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", + "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.acr_values", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" - ] + "in": "header", + "check": "$.typ", + "is present": "true" } ] } @@ -3569,28 +4003,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", + "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", - "is in": [ - "consent", - "consent login" - ] + "check": "$.aud", + "is present": "true" } ] } @@ -3602,32 +4033,25 @@ }, { "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", + "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token response", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", - "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" - ] + "check": "$.client_id", + "is present": "true" } ] } @@ -3639,20 +4063,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -3662,20 +4093,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -3685,20 +4123,27 @@ }, { "test": { - "name": "Does the revocation endpoint return an empty HTTP 200 OK response upon a correct revocation request", - "description": "A correct flow is accomplished and, once received the token, a request is made to the revocation endpoint. The response is then analyzed and has to be an empty HTTP 200 OK", + "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation response", - "checks": [ + "message type": "Token response", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -3708,8 +4153,8 @@ }, { "test": { - "name": "Does the OP handle a correct token request", - "description": "In this test a normal flow is accomplished and is tried to obtain an Access Token. All requests are well-formed and the Responses of the OP are analyzed.", + "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" @@ -3717,11 +4162,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } @@ -3731,8 +4183,8 @@ }, { "test": { - "name": "Does the HTTP status of a token response correct?", - "description": "This test verifies whether the HTTP status of a token response is 200.", + "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" @@ -3740,11 +4192,18 @@ "operations": [ { "message type": "Token response", - "checks": [ + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "(?<=\"access_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.scope", + "is present": "true" + } + ] } ] } @@ -3754,29 +4213,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked to be [https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2, https://www.spid.gov.it/SpidL3]", + "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", + "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported[0]", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -3788,27 +4243,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported[0]", - "is in": [ - "automatic" - ] + "in": "header", + "check": "$.alg", + "is present": "true" } ] } @@ -3820,27 +4273,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be 'S256'", + "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", + "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported[0]", - "is in": [ - "S256" - ] + "in": "header", + "check": "$.kid", + "is present": "true" } ] } @@ -3852,28 +4303,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [refresh_token, authorization_code]", + "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported[0]", - "is in": [ - "refresh_token", - "authorization_code" - ] + "check": "$.acr", + "is present": "true" } ] } @@ -3885,28 +4333,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does ID token payload contain the 'at_hash' parameter", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] + "check": "$.at_hash", + "is present": "true" } ] } @@ -3918,28 +4363,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "check": "$.aud", + "is present": "true" } ] } @@ -3951,28 +4393,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.exp", + "is present": "true" } ] } @@ -3984,27 +4423,25 @@ }, { "test": { - "name": "Does the OP metadata contain a correct issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be the URL of the OP", + "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is in": [ - "X_url_OP" - ] + "check": "$.iat", + "is present": "true" } ] } @@ -4016,28 +4453,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to ['RS256', 'RS512'].", + "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.iss", + "is present": "true" } ] } @@ -4049,28 +4483,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be ['RS256', 'RS512']", + "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] + "check": "$.jti", + "is present": "true" } ] } @@ -4082,28 +4513,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked to be [form_post, query]", + "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported[0]", - "is in": [ - "form_post", - "query" - ] + "check": "$.nonce", + "is present": "true" } ] } @@ -4115,27 +4543,25 @@ }, { "test": { - "name": "Does the OP metadata contain correct response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present and must be set to 'code'", + "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported[0]", - "is in": [ - "code" - ] + "check": "$.sub", + "is present": "true" } ] } @@ -4147,8 +4573,8 @@ }, { "test": { - "name": "Does the OP metadata contain correct revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'private_key_jwt'", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -4156,20 +4582,11 @@ "operations": [ { "message type": "Entity Configuration response OP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4179,32 +4596,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct scopes_supported claim", - "description": "In this test the OP metadata are taken and the value of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is [openid, offline_access, profile, email]", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported[0]", - "is in": [ - "openid", - "offline_access", - "profile", - "email" - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -4214,29 +4619,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is 'pairwise'", + "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", + "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported[0]", - "is in": [ - "pairwise" - ] - } - ] + "in": "head", + "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", + "is present": "true" } ] } @@ -4246,29 +4642,20 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the successful token response contain a valid access token", + "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported[0]", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -4278,30 +4665,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked to be ['RS256', 'RS512'].", + "name": "Does the successful token response contain a valid ID token", + "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", + "is present": "true" } ] } @@ -4311,30 +4688,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", + "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported[0]", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", + "is present": "true" } ] } @@ -4344,30 +4711,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Content-Type in a token response set correctly?", + "description": "This test verifies the head Content-Type set to application/json in the token response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported[0]", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "head", + "check": "Content-Type", + "is": "application/json" } ] } @@ -4377,30 +4734,20 @@ }, { "test": { - "name": "Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']", + "name": "Does the token_type of a token response set correctly?", + "description": "This test verifies whether the token_type of a token response is Bearer.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token response", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported[0]", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "check": "token_type", + "is": "Bearer" } ] } @@ -4410,50 +4757,16 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain correct value of 'acr' parameter valid in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked. Its value is one of ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']. It must be equal or superior to the acr send from the RP in the Authentication Request.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ - { - "from": "body", - "decode regex": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.acr", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response OP", - "checks": [ + "message type": "Entity Configuration response OP", + "checks": [ { "in": "head", "url decode": false, @@ -4492,25 +4805,30 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked", + "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"access_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.jwks", - "is present": "true" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4522,25 +4840,30 @@ }, { "test": { - "name": "Does the OP metadata contain the acr_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'acr_values_supported' in the 'openid_provider' subclaim (metadata type) parameter is checked.", + "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", + "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token response", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=\"id_token\": \")[^\"]+", "type": "jwt", "checks": [ { - "in": "payload", - "check": "$.metadata.openid_provider.acr_values_supported", - "is present": "true" + "in": "header", + "check": "$.alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -4550,29 +4873,217 @@ "result": "correct flow s1" } }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { - "name": "Does the OP metadata contain the authorization_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'authorization_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_endpoint", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -4582,27 +5093,20 @@ }, { "test": { - "name": "Does the OP metadata contain the authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -4612,27 +5116,20 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -4642,27 +5139,20 @@ }, { "test": { - "name": "Does the OP metadata contain the claims_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.claims_supported", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } @@ -4672,27 +5162,20 @@ }, { "test": { - "name": "Does the OP metadata contain the client_registration_types_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the client_registration_types_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.client_registration_types_supported", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -4702,27 +5185,20 @@ }, { "test": { - "name": "Does the OP metadata contain the code_challenge_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'code_challenge_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.code_challenge_methods_supported", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -4732,27 +5208,20 @@ }, { "test": { - "name": "Does the OP metadata contain the contacts claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -4762,27 +5231,20 @@ }, { "test": { - "name": "Does the OP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -4792,27 +5254,20 @@ }, { "test": { - "name": "Does the OP metadata contain the grant_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'grant_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.grant_types_supported", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -4822,27 +5277,20 @@ }, { "test": { - "name": "Does the OP metadata contain the homepage_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -4852,27 +5300,20 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "is present": "true" - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -4882,27 +5323,20 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_enc_values_supported", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -4912,27 +5346,20 @@ }, { "test": { - "name": "Does the OP metadata contain the id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -4942,27 +5369,20 @@ }, { "test": { - "name": "Does the OP metadata contain the introspection_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'introspection_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.introspection_endpoint", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -4972,27 +5392,20 @@ }, { "test": { - "name": "Does the OP metadata contain the issuer parameter", - "description": "In this test the OP metadata are taken and the presence of the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.issuer", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -5002,27 +5415,20 @@ }, { "test": { - "name": "Does the OP metadata contain the logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -5032,27 +5438,20 @@ }, { "test": { - "name": "Does the OP metadata contain the organization_name claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -5062,27 +5461,20 @@ }, { "test": { - "name": "Does the OP metadata contain the policy_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -5092,27 +5484,20 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -5122,27 +5507,20 @@ }, { "test": { - "name": "Does the OP metadata contain the request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "code" } ] } @@ -5152,27 +5530,20 @@ }, { "test": { - "name": "Does the OP metadata contain the request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -5182,27 +5553,20 @@ }, { "test": { - "name": "Does the OP metadata contain the request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -5212,27 +5576,20 @@ }, { "test": { - "name": "Does the OP metadata contain the response_modes_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'response_modes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.response_modes_supported", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -5242,27 +5599,20 @@ }, { "test": { - "name": "Does the OP metadata contain the response_types_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'response_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.response_types_supported", - "is present": "true" - } - ] + "in": "head", + "is present": true, + "check param": "Authorization" } ] } @@ -5272,25 +5622,25 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint", - "is present": "true" + "check": "$.sub", + "is": "X_key_RP" } ] } @@ -5302,25 +5652,25 @@ }, { "test": { - "name": "Does the OP metadata contain the revocation_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'revocation_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.revocation_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" } ] } @@ -5332,25 +5682,33 @@ }, { "test": { - "name": "Does the OP metadata contain the scopes_supported claim", - "description": "In this test the OP metadata are taken and the presence of the 'scopes_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.scopes_supported", - "is present": "true" + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + ] } ] } @@ -5362,25 +5720,28 @@ }, { "test": { - "name": "Does the OP metadata contain the subject_types_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'subject_types_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.subject_types_supported", - "is present": "true" + "check": "$.prompt", + "is in": [ + "consent", + "consent login" + ] } ] } @@ -5392,25 +5753,32 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint", - "is present": "true" + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" + ] } ] } @@ -5422,15 +5790,15 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_methods_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'token_endpoint_auth_methods_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -5439,8 +5807,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_methods_supported", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -5452,15 +5825,15 @@ }, { "test": { - "name": "Does the OP metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'op' entity type is checked.", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -5469,8 +5842,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" + ] } ] } @@ -5482,15 +5857,15 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -5499,12 +5874,17 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "is present": "true" - } - ] - } - ] + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] + } + ] + } + ] } ], "result": "correct flow s1" @@ -5512,27 +5892,20 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_encryption_enc_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_encryption_enc_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_enc_values_supported", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -5542,27 +5915,20 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_endpoint parameter", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_endpoint' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must be present", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_endpoint", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -5572,27 +5938,20 @@ }, { "test": { - "name": "Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -5602,25 +5961,27 @@ }, { "test": { - "name": "Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.signed_jwks_uri", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -5632,20 +5993,23 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "checks": [ { "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -5655,20 +6019,21 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "jwt check sig": "X_key_RP" } ] } @@ -5678,20 +6043,21 @@ }, { "test": { - "name": "Does the OP contain the correct type of code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter and it must be a UUID.", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "head", - "check regex": "(?<=code=)[a-zA-Z0-9]+(?=&)", - "is present": "true" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "jwt check sig": "X_key_core_RP" } ] } @@ -5701,20 +6067,27 @@ }, { "test": { - "name": "Does the successful token response contain a valid access token", - "description": "In this test a correct Token request is sent and the response is analyzed. It must contain the access token parameter and its value must be a JWT", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"access_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" + } + ] } ] } @@ -5724,20 +6097,27 @@ }, { "test": { - "name": "Does the successful token response contain a valid ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of a valid ID token", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=\"id_token\":\\s?)\"([\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+)\"", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -5747,20 +6127,27 @@ }, { "test": { - "name": "Does the UserInfo Endpoint create a signed and encrypted JWT", - "description": "The UserInfo response is taken and the presence of a signed and encrypted JWE in the body of the response is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+\\.[\\w\\-]+$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -5770,32 +6157,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'alg' parameter containing a value among ['RSA-OAEP', 'RSA-OAEP-256', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW'] in the JOSE header, then it is compliant with the specification", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256", - "ECDH-ES", - "ECDH-ES+A128KW", - "ECDH-ES+A256KW" - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -5807,29 +6187,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'enc' parameter containing a value among ['A128CBC-HS256', 'A256CBC-HS512'] in the JOSE header, then it is compliant with the specification", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Authentication request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" } ] } @@ -5841,26 +6217,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the alg parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'alg' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Authentication request", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", - "is present": "true" + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" } ] } @@ -5872,26 +6247,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'cty' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.cty", - "is present": "true" + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -5903,26 +6277,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the enc parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'enc' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.enc", - "is present": "true" + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" } ] } @@ -5934,26 +6307,25 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain the kid parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response's body is taken and analyzed. If it contains the 'kid' parameter in the JOSE header, then it is compliant with the specification", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response RP", "decode operations": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", - "is present": "true" + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" } ] } @@ -5965,27 +6337,25 @@ }, { "test": { - "name": "Does the OP metadata contain an incorrect id_token_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the value ['RSA_1_5']", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -5997,15 +6367,15 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect id_token_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'id_token_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -6014,13 +6384,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.id_token_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" } ] } @@ -6032,30 +6397,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_authentication_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the request_authentication_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_signing_alg_values_supported[0]", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" } ] } @@ -6067,15 +6427,15 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect request_object_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'request_object_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", @@ -6084,13 +6444,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_object_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" } ] } @@ -6102,30 +6457,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'openid_provider' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.token_endpoint_auth_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" } ] } @@ -6137,27 +6487,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_encryption_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_encryption_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['RSA_1_5']", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_encryption_alg_values_supported", - "not contains": [ - "RSA_1_5" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -6169,30 +6517,25 @@ }, { "test": { - "name": "Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim", - "description": "In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.userinfo_signing_alg_values_supported", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -6204,25 +6547,27 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] } ] } @@ -6234,25 +6579,28 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -6264,25 +6612,28 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6294,25 +6645,28 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"authority_hints\": {\"type\": \"array\"}}, \"required\": [\"authority_hints\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -6324,25 +6678,28 @@ }, { "test": { - "name": "Does the OP metadata contain correct type issuer parameter", - "description": "In this test the OP metadata are taken and the 'issuer' parameter in the 'openid_provider' subclaim (metadata type) is checked to be an URL with no query or fragment component", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\"}},\"required\":[\"issuer\"]}" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -6354,25 +6711,27 @@ }, { "test": { - "name": "Does the OP metadata contain correct type logo_uri claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\": \"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] } ] } @@ -6384,25 +6743,28 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_authentication_methods_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_authentication_methods_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\",\"additionalProperties\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"const\": \"request_object\"}}}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -6414,26 +6776,29 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" - } + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } ] } ] @@ -6444,25 +6809,28 @@ }, { "test": { - "name": "Does the OP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -6474,25 +6842,27 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'aud' parameter", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'aud' parameter in the Payload is the identifier of the resource server", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"aud\":{\"type\":\"array\"}},\"required\":[\"aud\"]}" + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] } ] } @@ -6504,25 +6874,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload as an HTTPS url", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'client_id' parameter in the Payload must be an HTTPS URL.", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"client_id\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"client_id\"]}" + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" } ] } @@ -6534,25 +6904,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a timestamp as the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked. In particular, this parameter must be a valid timestamp", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.client_registration_types", + "is present": "true" } ] } @@ -6564,25 +6934,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is a timestamp.", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -6594,25 +6964,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token's 'iss' parameter contain an URL", - "description": "The Access Token present in the Token Response is analyzed and the 'iss' parameter in the Payload is checked, in particular, its value must be an HTTPS URL", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -6624,25 +6994,25 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload in uuid4 format", - "description": "The Access Token present in the Token Response is analyzed and the value of the 'jti' parameter in the Payload must be based on uuid4 format.", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"jti\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$\"}}, \"required\": [\"jti\"]}" + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" } ] } @@ -6654,25 +7024,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the type of the 'exp' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" } ] } @@ -6684,25 +7054,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked. In particular, its value must be a timestamp", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=id_token: \")([^\"]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -6714,25 +7084,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload as an HTTPS URL", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter has to be an HTTPS URL identifying the OP", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"const\": \"X_https_OP\"}}, \"required\":[\"iss\"]})" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is present": "true" } ] } @@ -6744,25 +7114,25 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the 'sub' parameter is checked to be a string", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"pattern\": \"^[0-9a-f]{64}$\"}}, \"required\": [\"sub\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is present": "true" } ] } @@ -6774,25 +7144,25 @@ }, { "test": { - "name": "Does entity configuration OP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_OP" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is present": "true" } ] } @@ -6804,25 +7174,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of authorization_response_iss_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the authorization_response_iss_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.authorization_response_iss_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } @@ -6834,25 +7204,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of claims_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the claims_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.claims_parameter_supported.value", - "is": "true" + "check": "$.metadata.openid_relying_party.jwks", + "is present": "true" } ] } @@ -6864,25 +7234,25 @@ }, { "test": { - "name": "Does the OP metadata contain the correct value of request_parameter_supported claim", - "description": "In this test the OP metadata in the OP Entity Configuration are taken and the presence of the request_parameter_supported claim in the 'openid_provider' entity type is checked.", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider.request_parameter_supported.value", - "is": "true" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -6894,24 +7264,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -6924,24 +7294,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -6954,24 +7324,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.openid_relying_party.redirect_uris", "is present": "true" } ] @@ -6984,24 +7354,24 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", "is present": "true" } ] @@ -7014,24 +7384,24 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", "is present": "true" } ] @@ -7044,24 +7414,24 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", "is present": "true" } ] @@ -7074,24 +7444,24 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the authority_hints parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.authority_hints", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", "is present": "true" } ] @@ -7104,24 +7474,24 @@ }, { "test": { - "name": "Does the OP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", "is present": "true" } ] @@ -7134,24 +7504,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.alg", + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types", "is present": "true" } ] @@ -7164,24 +7534,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'kid' parameter in the Header", - "description": "The Access Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the Access Token is not compliant.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.exp", "is present": "true" } ] @@ -7194,24 +7564,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'typ' parameter in the Header", - "description": "The Access Token present in the Token response is analyzed and the presence of the 'typ' parameter in the header is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.typ", + "in": "payload", + "check": "$.iat", "is present": "true" } ] @@ -7224,24 +7594,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'aud' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.iss", "is present": "true" } ] @@ -7254,24 +7624,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'client_id' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'client_id' parameter in the Payload is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.jwks", "is present": "true" } ] @@ -7284,24 +7654,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'exp' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata", "is present": "true" } ] @@ -7314,24 +7684,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iat' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.sub", "is present": "true" } ] @@ -7344,24 +7714,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'iss' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'iss' parameter in the Payload is checked", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.acr_values", "is present": "true" } ] @@ -7374,24 +7744,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'jti' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.aud", "is present": "true" } ] @@ -7404,24 +7774,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'scope' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'scope' parameter in the Payload is checked", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.exp", "is present": "true" } ] @@ -7434,24 +7804,24 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain the 'sub' parameter in the Payload", - "description": "The Access Token present in the Token Response is analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.client_id", "is present": "true" } ] @@ -7464,24 +7834,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "header", - "check": "$.alg", + "check": "$.kid", "is present": "true" } ] @@ -7494,24 +7864,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'kid' parameter in the Header", - "description": "The ID Token is taken from the Token Response and the presence of the 'kid' parameter in the Header is checked. If it is not present, than the ID Token is not compliant.", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.iat", "is present": "true" } ] @@ -7524,24 +7894,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'acr' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'acr' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr", + "check": "$.iss", "is present": "true" } ] @@ -7554,24 +7924,24 @@ }, { "test": { - "name": "Does ID token payload contain the 'at_hash' parameter", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'at_hash' parameter in the Payload is checked", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.at_hash", + "check": "$.nonce", "is present": "true" } ] @@ -7584,24 +7954,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'aud' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.prompt", "is present": "true" } ] @@ -7614,24 +7984,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'exp' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'exp' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.redirect_uri", "is present": "true" } ] @@ -7644,24 +8014,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iat' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iat' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.response_type", "is present": "true" } ] @@ -7674,24 +8044,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'iss' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'iss' parameter is checked.", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.scope", "is present": "true" } ] @@ -7704,24 +8074,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'jti' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'jti' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.state", "is present": "true" } ] @@ -7734,24 +8104,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'nonce' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'nonce' parameter in the Payload is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", + "check": "$.ui_locales", "is present": "true" } ] @@ -7764,24 +8134,24 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'sub' parameter in the Payload", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the presence of the 'sub' parameter in the Payload is checked.", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.trust_marks", "is present": "true" } ] @@ -7794,20 +8164,27 @@ }, { "test": { - "name": "Does the OP verify the HTTP method of the Revocation request", - "description": "The revocation request must be sent via HTTP POST", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -7817,20 +8194,27 @@ }, { "test": { - "name": "Does the successful token response contain access token", - "description": "The Token response is analyzed and the presence of the access token is checked", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -7840,20 +8224,27 @@ }, { "test": { - "name": "Does the OP issue the access tokens when requested", - "description": "In this test an authentication request with scope 'openid' is made. Once received the code, the RP tries to exchange it in the token endpoint and the response must contain the access token.", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "access_token" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -7863,20 +8254,27 @@ }, { "test": { - "name": "Does the OP issue the expires_in in a token response", - "description": "In this test an RP makes a correct authentication request and, once received the code, the RP tries to exchange it in the token endpoint. The response is then analyzed and it must contain the expires_in parameter", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "expires_in" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -7886,20 +8284,27 @@ }, { "test": { - "name": "Does the successful token response contain the ID token", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the ID token", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "id_token" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } @@ -7909,20 +8314,27 @@ }, { "test": { - "name": "Does the successful token response contain the token type", - "description": "The RP receiving the Token response and that sent a correct token request must check the presence of the token type", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token_type" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -7932,20 +8344,20 @@ }, { "test": { - "name": "Does the HTTP status code of the UserInfo response is 200", - "description": "A correct UserInfo request is made to the UserInfo endpoint (it must contain the parameter Authorization: Bearer in the header) and the response analyzed. The HTTP code must be 200", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", + "message type": "Entity Configuration response RP", "checks": [ { - "in": "head", - "is present": true, - "check param": "HTTP/?\\d?\\.?\\d?\\s200" + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7955,21 +8367,20 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response OP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_OP" + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -7979,21 +8390,20 @@ }, { "test": { - "name": "Does the OP correctly sign the Access Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained Access Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the access token is passed to a signature verifier correctly configured", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "jwt check sig": "X_key_core_OP" + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -8003,21 +8413,20 @@ }, { "test": { - "name": "Does the OP correctly sign the ID Token", - "description": "Tokens issued by an OP must have the structure of JWT Tokens. In particular, this structure is composed by three base64url encoded strings separated by dots, namely the header, payload and signature. The signature is made using the OP's private key, in such a way to be decrypted using its public key. In this test a normal flow is performed and the obtained ID Token is analyzed. In order to test if the OP correctly signed the signature part of the JWT, the third part of the string is taken and passed to a signature verifier correctly configured", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "jwt check sig": "X_key_core_OP" + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -8027,33 +8436,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct alg parameter in the JOSE Header", - "description": "In this test, the JWE is taken from the Userinfo Response's body, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Token is not compliant.", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -8063,20 +8459,20 @@ }, { "test": { - "name": "Does the Content-Type in a token response set correctly?", - "description": "This test verifies the head Content-Type set to application/json in the token response.", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Token request", "checks": [ { - "in": "head", - "check": "Content-Type", - "is": "application/json" + "in": "body", + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -8086,20 +8482,20 @@ }, { "test": { - "name": "Does the token_type of a token response set correctly?", - "description": "This test verifies whether the token_type of a token response is Bearer.", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Token request", "checks": [ { - "in": "body", - "check": "token_type", - "is": "Bearer" + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -8109,28 +8505,20 @@ }, { "test": { - "name": "Does the UserInfo Response's JWE contain a correct cty parameter in the JOSE Header", - "description": "The JWE Token contained in the UserInfo response is taken and analyzed. If it contains the 'cty' parameter set to 'JWT' in the JOSE header, then it is compliant with the specification", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo response", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "jwe decrypt": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC5d8kD7BOVMIDg\nV2ygTSpl+YoiB52Zquu1aBBsSUptaD1ENHtnwlUFpEsWrDJ/IbUkkWbrgbnVwEnA\nsgXBagXufGwf1VgubmhyMCexHhGGV9UTTL/rTCN/yyQmAFGmJdA+XAf2MMZqpUT8\n8QFM5sM7nDdei6sPUXfrT6/lwsMtEd0UkiK10RW2oBOpjkOCVENoqIGGKztrn/Vu\nTzf08MtpCGO7hcmTi28PLn4tWQzLmw/bNTr7W0l0D5WZoFktfL2fT3rsUYhaYzOl\np+sEw64cVxQ4fnqj5yUNqH8IhMfV2rYPrgrQxiESkAI7anwAfgrxDpi4nV2eRUMP\nBmnYLzixAgMBAAECggEBAJ/3jyuQ3TsagK3++bQxmlYmK1w6kVZPM8pdnXyookdH\nV0CSu7W8ybR6BkHh+BPrMN//gXOzimOw3GwVoB04ozEVo/S5ALvbgr6qhjGgK6Fh\n9GgXFJmQLDY3MlCMid/yUXDX1A4l951YOu6nuGVpzA6IKMGlWb92lyYgryhPGiSu\nAVf5xdzbeUes1GKY2UPE9Rg2Qld782t6oJQ613vM6HPqfHC7N6yZ+7TFUiVc5wiK\njn3jNVSINCN59m7m2DsfPLHJB7g53104kw5cquSMA8gR5oiHt36bvnOHtbYgZmzn\n9iKgwml/EnaZ1NoE4/WJWbUTapodzQf65LASli897iECgYEA5PA7lJEDd3vrw5hl\nolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF/U5v\nOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt/y/ff8\nk/K6jW2EbWm1K6kfTvTMzoHkqrUCgYEAz2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2\nGpo8JHnfnGOUsvO/euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziM\nDSy9Suumyktu3PbGgjqu/izRim8Xlg7sz8Hs2quJPII/fQ8BCoaWpg30osFZqCBa\nrQM7CWhxR40CgYA3CVWZap8lu0G7XMiaE/C6O9E1htiB3pDoGjYaMW7Hle+tNsw+\nNXf2uke/Se6BpOcNNDigYh0m4CPb+F4ev7aQIFh5o/ZDu4o2RR7idxyu7qWZ740h\nAEIB88ol5R6rUajujtGN7zK9NO9KhLJQstqMI1bhorbuDxM6vPj7cBiTvQKBgQDJ\nfuJ+BuOWntHlGf97rcNAXsdTrs73TqSG8Ddi0S5ayb2dqIjvoctChJ2PKeJWIMEc\nRHQMLHuzR2489F60WnfDkIIfeTi7CSu5WTCI7C/e+C88bF8uBEolFfJ4Z7soxlN6\n/1Val7L8oSeCH+PJED6qE4EN6IFtghHXav4fA+SbuQKBgQCNy7q3MoBOxDlKOpSN\nChoYUfW0JvwJbyyaVYOVq0efGVobosAblE/IuwaoIuVgh8c4T3qZtwFcSpvfR5Qy\nSOWFs2QXN/P4ZvmiVpXK/9Tcnth2BThpb9apQCT2a/CYtrRiGNAVWKiK0U9QlN/w\n9fVBO/ZgdaXE4xqYOSceH14yrQ==\n-----END PRIVATE KEY-----\n", - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.cty", - "is": "JWT" - } - ] + "in": "head", + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -8140,20 +8528,20 @@ }, { "test": { - "name": "Does the OP correctly contain the code parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'code' as query parameter", + "name": "Does the Introspection Request contain correct type of client_assertion_type", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Authentication response", + "message type": "Introspection request", "checks": [ { - "in": "head", - "check param": "Location", - "contains": "code" + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -8163,20 +8551,43 @@ }, { "test": { - "name": "Does the OP contain iss parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'iss' as query parameter", + "name": "Does the Introspection Request contain correct client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter identifies the RP", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "check": "client_id", + "is": "X_url_RP" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain correct client_assertion_type", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion_type parameter is urn:ietf:params:oauth:clientassertion-type:jwt-bearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", + "message type": "Revocation request", "checks": [ { - "in": "head", - "check param": "Location", - "contains": "iss" + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -8186,20 +8597,20 @@ }, { "test": { - "name": "Does the OP contain correct state parameter on redirect in a successful authentication", - "description": "In order to check if the OP correctly handles a successful authentication request, a correct request is sent by a client and the behavior of the OP is analyzed. In particular, the client must be redirected to its redirect_uri and the redirect must have 'state' as query parameter", + "name": "Does the client_assertion_type parameter in the token request contain the correct type", + "description": "The client_assertion_type parameter in the URL of the token request sent by the RP must be set to urn:ietf:params:oauth:client-assertion-type:jwtbearer", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication response", + "message type": "Token request", "checks": [ { - "in": "head", - "check param": "Location", - "contains": "state" + "in": "body", + "check": "client_assertion_type", + "is": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } ] } @@ -8209,32 +8620,20 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the Access Token is not compliant.", + "name": "Does the client_id in the token request identifies the RP", + "description": "The client_id parameter in the URL of the token request is taken. This parameter must identify the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "body", + "check": "client_id", + "is": "X_https_RP" } ] } @@ -8244,32 +8643,21 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain a wrong 'alg' parameter in the Header", - "description": "In this test, the ID Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. If its value is set to none, contains values among ['none', 'HS256', 'HS384', 'HS512'], is absent or contains a symmetric algorithm, than the ID Token is not compliant.", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", - "decode operations": [ + "message type": "Entity Configuration response RP", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "in": "header", - "check": "$.alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -8279,27 +8667,29 @@ }, { "test": { - "name": "Does the issued JWT Access Token contain a correct 'alg' parameter in the Header", - "description": "In this test, the Access Token is taken from the Token Response, the header is base64url decoded and the presence of the 'alg' parameter in the Header is checked. The value must be a supported asymmetric algorithm between ['RS256', 'RS512']", + "name": "Does the RP use an asymmetric algorithm to sign the JWT in the request parameter of the Authentication Request", + "description": "In this test the Authentication Request is taken and the alg parameter in the JWT Header is checked. If it corresponds to a symmetric algorithm or it is none, than the RP is not compliant with the specifications.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token response", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=\"access_token\": \")[^\"]+", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "header", "check": "$.alg", - "is in": [ - "RS256", - "RS512" + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -8310,6 +8700,201 @@ "result": "correct flow s1" } }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { "name": "Does the entity return a correct HTTP code in the EC response", @@ -8320,7 +8905,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "checks": [ { "in": "head", @@ -8343,7 +8928,7 @@ ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Configuration response SA", "checks": [ { "in": "head", @@ -8358,28 +8943,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -8392,26 +8980,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } ] } ] @@ -8424,27 +9017,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -8457,27 +9054,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -8490,27 +9091,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -8523,27 +9128,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -8556,27 +9165,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -8589,26 +9202,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -8621,26 +9239,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } ] } ] @@ -8653,29 +9276,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -8688,26 +9313,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -8720,59 +9350,68 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } + ] + } + ] + } + ] + } + ], + "result": "correct flow s1" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -8785,27 +9424,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } ] } ] @@ -8818,27 +9461,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -8851,27 +9498,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -8884,26 +9535,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -8916,27 +9572,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -8949,27 +9609,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } ] } ] @@ -8982,26 +9646,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -9014,26 +9683,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -9046,26 +9720,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -9078,26 +9757,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", - "type": "passive", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -9110,27 +9794,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -9143,26 +9831,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -9175,27 +9868,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" + } ] } ] @@ -9208,26 +9905,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -9240,27 +9942,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -9273,27 +9979,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -9306,27 +10016,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks.trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -9339,27 +10053,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" + } ] } ] @@ -9372,26 +10090,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -9404,59 +10127,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response TA SA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -9469,27 +10164,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -9502,27 +10201,34 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } ] } ] @@ -9530,44 +10236,22 @@ ] } ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ + "result": [ "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response TA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" + ] } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -9581,10 +10265,10 @@ "checks": [ { "in": "payload", - "check": "sa_profile", + "check": "organization_type", "is in": [ - "light", - "full" + "public", + "private" ] } ] @@ -9601,74 +10285,56 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_key_SA" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -9680,32 +10346,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -9717,34 +10377,21 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -9754,34 +10401,21 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -9791,34 +10425,21 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -9828,32 +10449,25 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -9865,32 +10479,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -9902,32 +10509,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -9939,32 +10539,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -9976,32 +10569,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -10013,32 +10599,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -10050,32 +10629,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -10087,32 +10659,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -10124,32 +10689,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -10161,32 +10719,25 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -10198,32 +10749,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -10236,14 +10780,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10280,7 +10824,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10317,7 +10861,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10354,7 +10898,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10384,14 +10928,14 @@ { "test": { "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10420,7 +10964,7 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", + "name": "Does the Trust Mark contain the id_code claim", "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ @@ -10428,7 +10972,7 @@ ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10457,15 +11001,15 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10479,7 +11023,7 @@ "checks": [ { "in": "payload", - "check": "$.id_code.ipa_code", + "check": "iss", "is present": "true" } ] @@ -10494,15 +11038,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10516,7 +11060,7 @@ "checks": [ { "in": "payload", - "check": "iss", + "check": "logo_uri", "is present": "true" } ] @@ -10531,15 +11075,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10553,7 +11097,7 @@ "checks": [ { "in": "payload", - "check": "logo_uri", + "check": "organization_name", "is present": "true" } ] @@ -10568,15 +11112,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10590,7 +11134,7 @@ "checks": [ { "in": "payload", - "check": "organization_name", + "check": "organization_type", "is present": "true" } ] @@ -10605,15 +11149,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10627,7 +11171,7 @@ "checks": [ { "in": "payload", - "check": "organization_type", + "check": "policy_uri", "is present": "true" } ] @@ -10642,15 +11186,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10664,7 +11208,7 @@ "checks": [ { "in": "payload", - "check": "policy_uri", + "check": "ref", "is present": "true" } ] @@ -10679,15 +11223,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10701,7 +11245,7 @@ "checks": [ { "in": "payload", - "check": "ref", + "check": "sa_profile", "is present": "true" } ] @@ -10717,14 +11261,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10753,15 +11297,15 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10791,14 +11335,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -10827,15 +11371,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -10849,7 +11393,7 @@ "checks": [ { "in": "payload", - "check": "sa_profile", + "check": "claims", "is present": "true" } ] @@ -10864,25 +11408,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -10894,25 +11445,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -10924,25 +11482,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -10954,25 +11519,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -10984,25 +11556,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -11014,25 +11593,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -11044,25 +11630,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -11074,25 +11667,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -11104,25 +11704,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -11134,25 +11741,32 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -11164,25 +11778,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -11194,25 +11815,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -11224,25 +11852,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -11254,25 +11889,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -11284,25 +11926,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -11314,15 +11963,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -11331,7 +11980,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -11344,15 +11993,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -11361,7 +12010,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -11374,15 +12023,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -11391,7 +12040,7 @@ "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -11404,15 +12053,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -11421,7 +12070,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -11434,15 +12083,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -11451,7 +12100,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", "is present": "true" } ] @@ -11464,15 +12113,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -11481,7 +12130,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -11494,15 +12143,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -11511,7 +12160,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -11524,15 +12173,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -11541,7 +12190,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -11554,15 +12203,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -11571,7 +12220,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -11584,24 +12233,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "check": "$.exp", "is present": "true" } ] @@ -11614,24 +12263,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "check": "$.iat", "is present": "true" } ] @@ -11644,24 +12293,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "check": "$.iss", "is present": "true" } ] @@ -11674,24 +12323,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "check": "$.jwks", "is present": "true" } ] @@ -11704,24 +12353,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "check": "$.metadata", "is present": "true" } ] @@ -11734,24 +12383,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "check": "$.sub", "is present": "true" } ] @@ -11764,24 +12413,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.trust_marks", "is present": "true" } ] @@ -11794,24 +12443,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "check": "$.constraints", "is present": "true" } ] @@ -11824,24 +12473,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "check": "$.exp", "is present": "true" } ] @@ -11854,24 +12503,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "check": "$.iat", "is present": "true" } ] @@ -11884,24 +12533,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "check": "$.iss", "is present": "true" } ] @@ -11914,24 +12563,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "check": "$.jwks", "is present": "true" } ] @@ -11944,24 +12593,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "check": "$.metadata_policy", "is present": "true" } ] @@ -11974,24 +12623,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "check": "$.sub", "is present": "true" } ] @@ -12004,24 +12653,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "check": "$.trust_marks", "is present": "true" } ] @@ -12034,24 +12683,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", + "check": "$.constraints", "is present": "true" } ] @@ -12064,24 +12713,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "check": "$.exp", "is present": "true" } ] @@ -12094,24 +12743,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "check": "$.iat", "is present": "true" } ] @@ -12124,24 +12773,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "check": "$.iss", "is present": "true" } ] @@ -12154,24 +12803,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "check": "$.jwks", "is present": "true" } ] @@ -12184,20 +12833,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" + } + ] } ] } @@ -12207,20 +12863,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -12230,20 +12893,27 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } @@ -12253,15 +12923,15 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response SA", "checks": [ { "in": "body", @@ -12276,19 +12946,19 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Resolve Entity Statement response", "checks": [ { "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", "is present": "true" } ] @@ -12299,19 +12969,19 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", + "message type": "Entity Listing response", "checks": [ { "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", "is present": "true" } ] @@ -12322,19 +12992,19 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", + "message type": "Entity Statement response SA OP", "checks": [ { "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", "is present": "true" } ] @@ -12345,19 +13015,19 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", + "message type": "Entity Statement response SA RP", "checks": [ { "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", "is present": "true" } ] @@ -12368,29 +13038,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -12400,50 +13061,42 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "client_assertion", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response TA OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -12451,14 +13104,10 @@ "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -12470,47 +13119,42 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA RP", "decode operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", + "from": "url", + "decode param": "client_assertion", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" - ] + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { - "message type": "Entity Statement response TA OP", + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", @@ -12518,14 +13162,10 @@ "type": "jwt", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -12537,32 +13177,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -12571,97 +13200,216 @@ } }, { - "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } ] } ] } - ] + ], + "result": "correct flow s1" } - ], - "result": "correct flow s1" - } + } + ] }, { - "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } ] } ] } - ] + ], + "result": "correct flow s1" } - ], - "result": "correct flow s1" - } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -12671,32 +13419,20 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -12706,26 +13442,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -12738,29 +13479,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -12773,26 +13516,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } ] } ] @@ -12805,29 +13553,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -12840,25 +13590,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -12870,25 +13627,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -12900,25 +13664,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -12930,25 +13701,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -12960,25 +13738,32 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -12990,25 +13775,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -13020,25 +13812,32 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -13050,8 +13849,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -13062,13 +13861,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -13080,8 +13886,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" @@ -13092,13 +13898,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -13110,8 +13923,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -13122,13 +13935,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -13140,8 +13960,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -13152,13 +13972,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -13170,25 +13997,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -13200,25 +14034,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } + ] } ] } @@ -13230,55 +14071,69 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" - } - ] - } - ] - } + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } + ] + } + ] + } + ] + } ], "result": "correct flow s1" } }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } + ] } ] } @@ -13290,25 +14145,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -13320,25 +14182,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } + ] } ] } @@ -13350,25 +14219,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } + ] } ] } @@ -13380,25 +14256,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } + ] } ] } @@ -13410,25 +14293,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } + ] } ] } @@ -13440,25 +14330,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } + ] } ] } @@ -13470,25 +14367,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } + ] } ] } @@ -13500,25 +14404,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } + ] } ] } @@ -13530,25 +14441,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } + ] } ] } @@ -13560,25 +14478,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } + ] } ] } @@ -13590,25 +14515,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } + ] } ] } @@ -13620,68 +14552,92 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" @@ -13694,12 +14650,15 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", + "is subset of": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" + ] } ] } @@ -13711,26 +14670,27 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is subset of": [ + "S256" + ] } ] } @@ -13742,15 +14702,15 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13759,8 +14719,11 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", + "is subset of": [ + "refresh_token", + "authorization_code" + ] } ] } @@ -13772,15 +14735,15 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13789,8 +14752,11 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -13802,15 +14768,15 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13819,8 +14785,11 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -13832,15 +14801,15 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13849,8 +14818,11 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -13862,15 +14834,15 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13879,8 +14851,11 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" + ] } ] } @@ -13892,15 +14867,15 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13909,8 +14884,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" + ] } ] } @@ -13922,15 +14899,15 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13939,8 +14916,10 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -13952,15 +14931,15 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13969,8 +14948,13 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" + ] } ] } @@ -13982,15 +14966,15 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -13999,8 +14983,10 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" + ] } ] } @@ -14012,15 +14998,15 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -14029,8 +15015,10 @@ "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", - "is present": "true" + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" + ] } ] } @@ -14042,8 +15030,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -14059,8 +15047,11 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -14072,8 +15063,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -14089,8 +15080,11 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -14102,8 +15096,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -14119,8 +15113,11 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -14132,8 +15129,8 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -14149,8 +15146,11 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -14162,15 +15162,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14179,8 +15179,10 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -14192,15 +15194,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14209,8 +15211,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -14222,15 +15227,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14239,8 +15244,11 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -14252,15 +15260,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", @@ -14269,8 +15277,10 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -14282,8 +15292,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -14299,8 +15309,10 @@ "checks": [ { "in": "payload", - "check": "$.constraints", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" + ] } ] } @@ -14312,8 +15324,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" @@ -14329,8 +15341,10 @@ "checks": [ { "in": "payload", - "check": "$.exp", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] } ] } @@ -14342,8 +15356,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" @@ -14359,8 +15373,10 @@ "checks": [ { "in": "payload", - "check": "$.iat", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] } ] } @@ -14372,8 +15388,8 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -14389,8 +15405,11 @@ "checks": [ { "in": "payload", - "check": "$.iss", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -14402,8 +15421,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -14419,8 +15438,10 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" + ] } ] } @@ -14432,8 +15453,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -14449,8 +15470,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] } ] } @@ -14462,15 +15486,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -14479,8 +15503,10 @@ "checks": [ { "in": "payload", - "check": "$.jwks", - "is present": "true" + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" + ] } ] } @@ -14492,15 +15518,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -14509,8 +15535,11 @@ "checks": [ { "in": "payload", - "check": "$.sub", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" + ] } ] } @@ -14522,15 +15551,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", @@ -14539,8 +15568,11 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -14552,21 +15584,30 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] + } + ] } ] } @@ -14576,21 +15617,30 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -14600,21 +15650,29 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" + ] + } + ] } ] } @@ -14624,31 +15682,26 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" ] } ] @@ -14661,31 +15714,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -14698,31 +15747,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -14735,31 +15780,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -14772,32 +15813,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_key_TA" } ] } @@ -14809,8 +15843,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -14821,20 +15855,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -14846,32 +15874,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -14883,8 +15905,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" @@ -14895,19 +15917,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" ] } ] @@ -14920,31 +15938,27 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } + "in": "payload", + "check": "$.organization_type", + "is in": [ + "public", + "private" ] } ] @@ -14957,8 +15971,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -14969,19 +15983,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -14994,8 +16003,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -15006,19 +16015,17 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -15031,8 +16038,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -15043,19 +16050,17 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -15068,8 +16073,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -15080,19 +16085,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -15105,8 +16105,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -15117,19 +16117,17 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -15142,8 +16140,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -15154,19 +16152,17 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -15179,8 +16175,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -15191,19 +16187,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -15216,8 +16207,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -15228,19 +16219,17 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -15253,8 +16242,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" @@ -15265,19 +16254,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -15290,8 +16274,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -15302,19 +16286,17 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -15327,31 +16309,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -15364,31 +16341,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -15401,31 +16376,26 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" ] } ] @@ -15438,31 +16408,29 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -15475,34 +16443,21 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -15512,34 +16467,21 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -15549,8 +16491,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" @@ -15561,22 +16503,9 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -15586,32 +16515,25 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\n\\r]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -15623,32 +16545,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -15660,32 +16575,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -15697,32 +16605,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -15734,15 +16635,15 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -15751,11 +16652,8 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -15767,28 +16665,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" - ] + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -15800,20 +16695,27 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Configuration response TA", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + } + ] } ] } @@ -15823,20 +16725,27 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -15846,21 +16755,27 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + } + ] } ] } @@ -15870,116 +16785,85 @@ }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -15991,32 +16875,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -16028,32 +16905,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -16065,32 +16935,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -16102,32 +16965,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -16139,32 +16995,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -16176,32 +17025,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -16213,32 +17055,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -16250,32 +17085,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -16287,32 +17115,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", - "type": "passive", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -16324,32 +17145,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -16361,32 +17175,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -16398,32 +17205,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -16435,32 +17235,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -16472,32 +17265,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -16509,32 +17295,55 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Statement response TA SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" } ] } @@ -16547,14 +17356,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -16591,7 +17400,7 @@ ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -16628,7 +17437,7 @@ ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -16665,7 +17474,7 @@ ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -16695,14 +17504,14 @@ { "test": { "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -16731,7 +17540,7 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", + "name": "Does the Trust Mark contain id_code claim", "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ @@ -16739,7 +17548,7 @@ ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -16768,15 +17577,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -16790,7 +17599,7 @@ "checks": [ { "in": "payload", - "check": "iss", + "check": "$.id_code.ipa_code", "is present": "true" } ] @@ -16805,15 +17614,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -16827,7 +17636,7 @@ "checks": [ { "in": "payload", - "check": "logo_uri", + "check": "iss", "is present": "true" } ] @@ -16842,15 +17651,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -16864,7 +17673,7 @@ "checks": [ { "in": "payload", - "check": "organization_name", + "check": "logo_uri", "is present": "true" } ] @@ -16879,15 +17688,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -16901,7 +17710,7 @@ "checks": [ { "in": "payload", - "check": "organization_type", + "check": "organization_name", "is present": "true" } ] @@ -16916,15 +17725,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -16938,7 +17747,7 @@ "checks": [ { "in": "payload", - "check": "policy_uri", + "check": "organization_type", "is present": "true" } ] @@ -16953,15 +17762,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -16975,7 +17784,7 @@ "checks": [ { "in": "payload", - "check": "ref", + "check": "policy_uri", "is present": "true" } ] @@ -16990,15 +17799,15 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -17012,7 +17821,7 @@ "checks": [ { "in": "payload", - "check": "sa_profile", + "check": "ref", "is present": "true" } ] @@ -17028,14 +17837,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -17064,15 +17873,15 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -17102,14 +17911,14 @@ { "test": { "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -17138,53 +17947,32 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA OP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -17196,53 +17984,32 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA RP", - "decode operations": [ - { - "from": "url", - "decode param": "client_assertion", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -17254,25 +18021,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -17284,25 +18058,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -17314,25 +18095,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -17344,25 +18132,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -17374,25 +18169,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] } ] } @@ -17404,25 +18206,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -17434,25 +18243,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -17464,25 +18280,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -17494,25 +18317,32 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -17524,20 +18354,34 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -17547,20 +18391,34 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] + } + ] } ] } @@ -17570,20 +18428,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] + } + ] } ] } @@ -17593,20 +18465,34 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] } ] } @@ -17616,20 +18502,34 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] + } + ] } ] } @@ -17639,20 +18539,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] + } + ] } ] } @@ -17662,25 +18576,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.constraints.max_path_length", + "is present": "true" } ] } @@ -17692,25 +18606,25 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -17722,25 +18636,25 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -17752,25 +18666,25 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -17782,25 +18696,25 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -17812,25 +18726,25 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -17842,25 +18756,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -17872,25 +18786,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -17902,25 +18816,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -17932,25 +18846,25 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -17962,25 +18876,25 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } @@ -17992,26 +18906,25 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "is present": "true" } ] } @@ -18023,26 +18936,25 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "in": "payload", + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "is present": "true" } ] } @@ -18054,25 +18966,25 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "is present": "true" } ] } @@ -18084,24 +18996,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", "is present": "true" } ] @@ -18114,24 +19026,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", "is present": "true" } ] @@ -18144,24 +19056,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", "is present": "true" } ] @@ -18174,19 +19086,19 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { @@ -18204,24 +19116,24 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", "is present": "true" } ] @@ -18234,24 +19146,24 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", "is present": "true" } ] @@ -18264,24 +19176,24 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -18294,24 +19206,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", "is present": "true" } ] @@ -18324,24 +19236,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", "is present": "true" } ] @@ -18354,24 +19266,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -18384,24 +19296,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", "is present": "true" } ] @@ -18414,24 +19326,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -18444,24 +19356,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", "is present": "true" } ] @@ -18474,24 +19386,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -18504,24 +19416,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -18534,24 +19446,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -18564,24 +19476,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -18594,24 +19506,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -18624,24 +19536,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -18654,24 +19566,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -18684,24 +19596,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -18714,24 +19626,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", "is present": "true" } ] @@ -18744,24 +19656,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -18774,21 +19686,27 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is present": "true" + } + ] } ] } @@ -18798,21 +19716,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is present": "true" + } + ] } ] } @@ -18822,21 +19746,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is present": "true" + } + ] } ] } @@ -18846,32 +19776,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is present": "true" } ] } @@ -18883,32 +19806,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is present": "true" } ] } @@ -18920,32 +19836,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is present": "true" } ] } @@ -18957,32 +19866,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", - "type": "passive", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is present": "true" } ] } @@ -18994,32 +19896,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -19031,32 +19926,25 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -19068,32 +19956,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -19105,32 +19986,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -19142,32 +20016,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -19179,32 +20046,25 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -19216,32 +20076,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -19253,32 +20106,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -19290,32 +20136,25 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$.trust_mark_issuers", + "is present": "true" } ] } @@ -19327,32 +20166,25 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -19364,32 +20196,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -19401,32 +20226,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -19438,32 +20256,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -19475,32 +20286,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -19512,32 +20316,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -19549,32 +20346,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -19586,32 +20376,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -19623,32 +20406,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -19660,32 +20436,25 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -19697,32 +20466,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -19734,32 +20496,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -19771,32 +20526,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -19808,32 +20556,25 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -19845,32 +20586,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -19882,32 +20616,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -19919,32 +20646,25 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -19956,34 +20676,20 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -19993,34 +20699,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -20030,34 +20722,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -20067,34 +20745,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Statement response TA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -20104,19 +20768,19 @@ }, { "test": { - "name": "Does the entity return a correct HTTP code in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response AA", + "message type": "Entity Statement response TA RP", "checks": [ { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", "is present": "true" } ] @@ -20127,8 +20791,296 @@ }, { "test": { - "name": "Does the Entity expose the /.well-known/openid-federation endpoint", - "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Fetch Entity Statement response TA OP", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Fetch Entity Statement response TA RP", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Public Keys History response", + "checks": [ + { + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test": { + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", "type": "passive", "sessions": [ "s1" @@ -20150,8 +21102,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", "type": "passive", "sessions": [ "s1" @@ -20159,21 +21111,11 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" } ] } @@ -20183,8 +21125,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -20195,15 +21137,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", - "is in": [ - "private_key_jwt" - ] + "check": "$.sub", + "is": "X_key_AA" } ] } @@ -20215,8 +21155,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", + "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -20227,15 +21167,17 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "is in": [ - "RS256", - "RS512" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" ] } ] @@ -20248,32 +21190,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response AA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the AA metadata contain the authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" @@ -20284,13 +21202,18 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.authorization_endpoint", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -20302,8 +21225,8 @@ }, { "test": { - "name": "Does the AA metadata contain the contacts claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -20314,15 +21237,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" - } - ] + "jwt check sig": "X_key_AA" } ] } @@ -20332,8 +21249,8 @@ }, { "test": { - "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -20344,13 +21261,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" } ] } @@ -20362,8 +21279,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_resolve_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -20374,13 +21291,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -20392,8 +21309,8 @@ }, { "test": { - "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain correct type op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", "type": "passive", "sessions": [ "s1" @@ -20404,13 +21321,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "check": "$.metadata.openid_provider", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" } ] } @@ -20422,8 +21339,8 @@ }, { "test": { - "name": "Does the AA metadata contain the grant_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct type resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", "type": "passive", "sessions": [ "s1" @@ -20434,13 +21351,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.grant_types_supported", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" } ] } @@ -20452,8 +21369,8 @@ }, { "test": { - "name": "Does the AA metadata contain the homepage_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain a correct type of issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -20464,13 +21381,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata.oauth_authorization_server", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" } ] } @@ -20482,8 +21399,8 @@ }, { "test": { - "name": "Does the AA metadata contain the issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain a correct logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -20494,13 +21411,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.issuer", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" } ] } @@ -20512,8 +21429,8 @@ }, { "test": { - "name": "Does the AA metadata contain the jwks claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -20524,13 +21441,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.jwks", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -20542,8 +21459,8 @@ }, { "test": { - "name": "Does the AA metadata contain the logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", "type": "passive", "sessions": [ "s1" @@ -20554,13 +21471,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" } ] } @@ -20572,8 +21489,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -20584,13 +21501,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -20602,8 +21519,8 @@ }, { "test": { - "name": "Does the AA metadata contain the op_tos_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -20614,13 +21531,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.op_tos_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -20632,8 +21549,8 @@ }, { "test": { - "name": "Does the AA metadata contain the organization_name claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -20644,13 +21561,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -20662,8 +21579,8 @@ }, { "test": { - "name": "Does the AA metadata contain the policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the AA metadata contain correct dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is 'one_of': ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -20679,8 +21596,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -20692,8 +21612,8 @@ }, { "test": { - "name": "Does the AA metadata contain the resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked. It must contain the key-value pair 'one_of': ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -20709,8 +21629,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_resource.resource", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported.one_of", + "is in": [ + "private_key_jwt" + ] } ] } @@ -20722,8 +21644,8 @@ }, { "test": { - "name": "Does the AA metadata contain the response_types_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].", "type": "passive", "sessions": [ "s1" @@ -20739,8 +21661,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.response_types_supported", - "is present": "true" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -20752,8 +21677,8 @@ }, { "test": { - "name": "Does the AA metadata contain the scopes_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the authorization_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20769,7 +21694,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.scopes_supported", + "check": "$.metadata.oauth_authorization_server.authorization_endpoint", "is present": "true" } ] @@ -20782,8 +21707,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the contacts claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20799,7 +21724,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -20812,8 +21737,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain dpop_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20829,7 +21754,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", + "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported", "is present": "true" } ] @@ -20842,8 +21767,8 @@ }, { "test": { - "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", + "name": "Does the AA metadata contain the federation_resolve_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20859,7 +21784,7 @@ "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -20872,8 +21797,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the AA metadata contain the federation_trust_mark_status_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the federation_trust_mark_status_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20881,11 +21806,18 @@ "operations": [ { "message type": "Entity Configuration response AA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" + } + ] } ] } @@ -20895,20 +21827,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the AA metadata contain the grant_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the grant_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response AA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.oauth_authorization_server.grant_types_supported", + "is present": "true" + } + ] } ] } @@ -20918,8 +21857,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the homepage_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20930,18 +21869,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -20953,8 +21887,8 @@ }, { "test": { - "name": "Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the AA metadata contain the issuer claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the issuer claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -20965,18 +21899,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] + "check": "$.metadata.oauth_authorization_server.issuer", + "is present": "true" } ] } @@ -20988,8 +21917,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type authorization_endpoint claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the authorization_endpoint claim in the 'federation_entity' entity type is \"private\"", + "name": "Does the AA metadata contain the jwks claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the jwks claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21000,13 +21929,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"authorization_endpoint\": {\"type\": \"string\",\"const\": \"private\"}},\"required\": [\"authorization_endpoint\"]}" + "check": "$.metadata.oauth_authorization_server.jwks", + "is present": "true" } ] } @@ -21018,8 +21947,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the AA metadata contain the logo_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21030,13 +21959,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -21048,8 +21977,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type op_policy_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is \"private\"", + "name": "Does the AA metadata contain the op_policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21060,13 +21989,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_provider", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"op_policy_uri\": {\"type\": \"string\",\"format\": \"uri\"}},\"required\": [\"op_policy_uri\"]}" + "check": "$.metadata.oauth_authorization_server.op_policy_uri", + "is present": "true" } ] } @@ -21078,8 +22007,8 @@ }, { "test": { - "name": "Does the AA metadata contain correct type resource claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL", + "name": "Does the AA metadata contain the op_tos_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_tos_uri claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21090,13 +22019,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"resource\": {\"oneOf\": [{\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},{\"type\": \"array\",\"items\": {\"type\": \"string\", \"format\": \"uri\", \"pattern\": \"^https://\"},\"minItems\": 1}]}},\"required\": [\"resource\"]}" + "check": "$.metadata.oauth_authorization_server.op_tos_uri", + "is present": "true" } ] } @@ -21108,8 +22037,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct type of issuer claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the issuer claim in the 'oauth_authorization_server' entity type is an URL", + "name": "Does the AA metadata contain the organization_name claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21120,13 +22049,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.oauth_authorization_server", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"issuer\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"issuer\"]})" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -21138,8 +22067,8 @@ }, { "test": { - "name": "Does the AA metadata contain a correct logo_uri claim", - "description": "In this test the AA metadata in the AA Entity Configuration are taken and the value of the logo_uri claim is an URL", + "name": "Does the AA metadata contain the policy_uri claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21150,13 +22079,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"logo_uri\"]})" + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -21168,8 +22097,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the AA metadata contain the resource claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the resource claim in the 'oauth_resource' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21180,13 +22109,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.oauth_resource.resource", + "is present": "true" } ] } @@ -21198,8 +22127,8 @@ }, { "test": { - "name": "Does the AA's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array", + "name": "Does the AA metadata contain the response_types_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the response_types_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21210,13 +22139,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.oauth_authorization_server.response_types_supported", + "is present": "true" } ] } @@ -21228,8 +22157,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the AA metadata contain the scopes_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the scopes_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21240,13 +22169,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.oauth_authorization_server.scopes_supported", + "is present": "true" } ] } @@ -21258,8 +22187,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the AA metadata contain the token_endpoint claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21270,13 +22199,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.oauth_authorization_server.token_endpoint", + "is present": "true" } ] } @@ -21288,8 +22217,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the AA metadata contain the token_endpoint_auth_methods_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_methods_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21300,13 +22229,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_methods_supported", + "is present": "true" } ] } @@ -21318,8 +22247,8 @@ }, { "test": { - "name": "Does entity configuration AA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim", + "description": "In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -21330,13 +22259,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_key_AA" + "check": "$.metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported", + "is present": "true" } ] } @@ -21588,8 +22517,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" @@ -21597,12 +22526,58 @@ "operations": [ { "message type": "Entity Configuration response AA", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_AA" + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response AA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-correct-content-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-correct-content-type.json new file mode 100644 index 0000000..5f812e2 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-correct-content-type.json @@ -0,0 +1,33 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-correct-http-code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-correct-http-code.json new file mode 100644 index 0000000..ce91a88 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-correct-http-code.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-exp-type.json new file mode 100644 index 0000000..379a1d8 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-exp-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-exp.json new file mode 100644 index 0000000..d4f0d46 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-exp.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-exposed.json new file mode 100644 index 0000000..6d7e477 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-exposed.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-iat-type.json new file mode 100644 index 0000000..d904d09 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-iat-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-iat.json new file mode 100644 index 0000000..2d095d3 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-iat.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-iss.json new file mode 100644 index 0000000..1d87f34 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-iss.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-issue.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-issue.json new file mode 100644 index 0000000..9b43196 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-issue.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-jwks.json new file mode 100644 index 0000000..fe206f6 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-jwks.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-federation_entity-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-federation_entity-once.json new file mode 100644 index 0000000..6f445ec --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-federation_entity-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json new file mode 100644 index 0000000..1e4f9a4 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-oauth_resource-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-oauth_resource-once.json new file mode 100644 index 0000000..f9fa5a5 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-oauth_resource-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-openid_provider-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-openid_provider-once.json new file mode 100644 index 0000000..80b935c --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-openid_provider-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-openid_relying_party-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-openid_relying_party-once.json new file mode 100644 index 0000000..1af370e --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-openid_relying_party-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-type.json new file mode 100644 index 0000000..ee658ab --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-value.json similarity index 59% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-value.json index 0d8bc02..fe54570 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-metadata-value.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata-value.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -25,7 +25,7 @@ { "in": "payload", "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata.json new file mode 100644 index 0000000..f45546e --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-metadata.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-sub-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-sub-value.json similarity index 90% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-sub-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-sub-value.json index fe2e5c3..ea145eb 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/RP-Entity Configuration response-sub-value.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-sub-value.json @@ -7,7 +7,7 @@ "tests": [ { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", + "name": "Does entity configuration OP contain a correct sub parameter", "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ @@ -25,7 +25,7 @@ { "in": "payload", "check": "$.sub", - "is": "X_url_RP" + "is": "X_key_RP" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-sub.json new file mode 100644 index 0000000..f187d15 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Entity Configuration response-sub.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Resolve Entity Statement endpoint response-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Resolve Entity Statement endpoint response-exposed.json new file mode 100644 index 0000000..2fb4169 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/ALL-Resolve Entity Statement endpoint response-exposed.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json index 07707dc..cab069b 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP.json @@ -5,6 +5,201 @@ "filter messages": true }, "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { "name": "Does the entity return a correct HTTP code in the EC response", @@ -53,42 +248,20 @@ }, { "test": { - "name": "Does the JWT payload contain a correct sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", - "type": "active", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token request", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ], - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.sub", - "contains": "saved_iss" - } - ] + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -98,29 +271,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] - } - ] + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } @@ -130,30 +294,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] - } - ] + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -163,30 +317,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -196,30 +340,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -229,30 +363,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -262,29 +386,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -294,30 +409,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -327,30 +432,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "url", + "is present": true, + "check": "POST" } ] } @@ -360,30 +455,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -393,29 +478,20 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -425,21 +501,20 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Revocation request", "checks": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -449,55 +524,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", - "type": "active", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.client_id", - "as": "client_id" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "client_id" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -507,55 +547,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", - "type": "active", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "contains": "iss" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -565,55 +570,43 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", - "type": "active", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.redirect_uri", - "as": "redirect_uris" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "contains": "redirect_uris" - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -623,55 +616,20 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", - "type": "active", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.response_type", - "as": "response_types_supported" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "contains": "response_types_supported" - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -681,55 +639,20 @@ }, { "test": { - "name": "Does the JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", - "type": "active", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.metadata.openid_relying_party.client_id", - "as": "client_id" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Token request", - "decode operations": [ + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "client_id" - } - ] + "in": "body", + "is present": true, + "check regex": "code" } ] } @@ -739,55 +662,20 @@ }, { "test": { - "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", - "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", - "type": "active", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "saved_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Token response", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode param": "(?<=\"id_token\": \")[^\"]+", - "type": "jwt", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "$.aud[0]", - "contains": "saved_iss" - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -797,27 +685,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -827,27 +708,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -857,27 +731,20 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" - } - ] + "in": "head", + "is present": true, + "check param": "Authorization" } ] } @@ -887,8 +754,8 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -899,13 +766,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.sub", + "is": "X_key_RP" } ] } @@ -917,8 +784,8 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" @@ -929,13 +796,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" } ] } @@ -947,25 +814,33 @@ }, { "test": { - "name": "Does the RP metadata contain the 'grant_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + ] } ] } @@ -977,25 +852,28 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.prompt", + "is in": [ + "consent", + "consent login" + ] } ] } @@ -1007,25 +885,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is present": "true" + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" + ] } ] } @@ -1037,8 +922,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -1054,8 +939,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1067,8 +957,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" @@ -1084,8 +974,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" + ] } ] } @@ -1097,8 +989,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -1114,8 +1006,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -1127,27 +1024,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Introspection request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -1157,27 +1047,20 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -1187,27 +1070,20 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -1217,25 +1093,40 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", - "type": "passive", + "name": "Does the JWT payload contain a correct sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the sub claim. Its value must be the same of the iss value", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ], "checks": [ { + "use variable": "true", "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.sub", + "contains": "saved_iss" } ] } @@ -1247,8 +1138,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" @@ -1259,13 +1150,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -1277,56 +1170,68 @@ }, { "test": { - "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", - "type": "passive", + "name": "Does the Revocation Request contain correct client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation request", + "edit operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.signed_jwks_uri", - "is present": "true" - } - ] + "value": "https://example.com", + "edit regex": "(?<=client_id=)([^&]+)" + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Revocation response", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s401" + }, + { + "in": "body", + "check": "invalid_client" } ] } ], - "result": "correct flow s1" + "result": "assert_only" } }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is present": "true" - } + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" ] } ] @@ -1337,8 +1242,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -1349,15 +1254,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is present": "true" - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -1367,27 +1266,21 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_RP" } ] } @@ -1397,8 +1290,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -1409,13 +1302,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -1427,8 +1320,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1439,13 +1332,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1457,8 +1350,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1466,11 +1359,18 @@ "operations": [ { "message type": "Entity Configuration response RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -1480,20 +1380,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] } ] } @@ -1503,20 +1410,27 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + } + ] } ] } @@ -1526,20 +1440,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + } + ] } ] } @@ -1549,20 +1470,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + } + ] } ] } @@ -1572,20 +1500,27 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + } + ] } ] } @@ -1595,20 +1530,27 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + } + ] } ] } @@ -1618,20 +1560,27 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + } + ] } ] } @@ -1641,8 +1590,8 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1658,10 +1607,8 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" } ] } @@ -1673,8 +1620,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" @@ -1685,13 +1632,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" } ] } @@ -1703,8 +1650,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -1721,7 +1668,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" } ] } @@ -1733,25 +1680,25 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" } ] } @@ -1763,25 +1710,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1793,25 +1740,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1823,8 +1770,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ "s1" @@ -1835,13 +1782,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] } ] } @@ -1853,8 +1802,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" @@ -1865,13 +1814,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -1883,8 +1835,8 @@ }, { "test": { - "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", - "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -1895,13 +1847,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -1913,8 +1868,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" @@ -1925,13 +1880,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -1943,8 +1901,8 @@ }, { "test": { - "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1955,13 +1913,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -1973,8 +1934,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" @@ -1985,13 +1946,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] } ] } @@ -2003,8 +1966,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -2015,13 +1978,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -2033,8 +1999,8 @@ }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" @@ -2045,13 +2011,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -2063,25 +2032,28 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -2093,25 +2065,27 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] } ] } @@ -2123,25 +2097,25 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" } ] } @@ -2153,54 +2127,38 @@ }, { "test": { - "name": "Does the Revocation Request contain correct client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", - "type": "active", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation request", - "edit operations": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { "from": "body", - "value": "https://example.com", - "edit regex": "(?<=client_id=)([^&]+)" - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Revocation response", - "checks": [ - { - "in": "head", - "check regex": "HTTP/?\\d?\\.?\\d?\\s401" - }, - { - "in": "body", - "check": "invalid_client" + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.client_registration_types", + "is present": "true" + } + ] } ] } ], - "result": "assert_only" + "result": "correct flow s1" } }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2211,13 +2169,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_RP" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -2229,8 +2187,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct value of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2241,13 +2199,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is": "x_https_RP" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -2259,22 +2217,26 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party.grant_types", + "is present": "true" + } ] } ] @@ -2285,8 +2247,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2297,12 +2259,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.openid_relying_party.grant_types", "is present": "true" } ] @@ -2315,8 +2277,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -2327,12 +2289,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -2345,8 +2307,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2357,12 +2319,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", "is present": "true" } ] @@ -2375,8 +2337,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2387,12 +2349,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", "is present": "true" } ] @@ -2405,8 +2367,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2417,12 +2379,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", "is present": "true" } ] @@ -2435,8 +2397,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2447,12 +2409,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.openid_relying_party.jwks", "is present": "true" } ] @@ -2465,24 +2427,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.metadata.openid_relying_party.jwks", "is present": "true" } ] @@ -2495,24 +2457,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -2525,24 +2487,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -2555,24 +2517,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -2585,24 +2547,24 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.metadata.openid_relying_party.redirect_uris", "is present": "true" } ] @@ -2615,24 +2577,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", "is present": "true" } ] @@ -2645,24 +2607,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", "is present": "true" } ] @@ -2675,24 +2637,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", "is present": "true" } ] @@ -2705,24 +2667,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", "is present": "true" } ] @@ -2735,24 +2697,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.redirect_uri", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", "is present": "true" } ] @@ -2765,24 +2727,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.response_type", + "check": "$.metadata.openid_relying_party.response_types", "is present": "true" } ] @@ -2795,24 +2757,24 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.exp", "is present": "true" } ] @@ -2825,24 +2787,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.state", + "check": "$.iat", "is present": "true" } ] @@ -2855,24 +2817,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.ui_locales", + "check": "$.iss", "is present": "true" } ] @@ -2885,8 +2847,8 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2902,7 +2864,7 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.jwks", "is present": "true" } ] @@ -2915,24 +2877,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata", "is present": "true" } ] @@ -2945,24 +2907,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.sub", "is present": "true" } ] @@ -2975,24 +2937,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.acr_values", "is present": "true" } ] @@ -3005,24 +2967,24 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.aud", "is present": "true" } ] @@ -3035,24 +2997,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.exp", "is present": "true" } ] @@ -3065,24 +3027,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.client_id", "is present": "true" } ] @@ -3095,8 +3057,8 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -3104,11 +3066,18 @@ "operations": [ { "message type": "Authentication request", - "checks": [ + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -3118,8 +3087,8 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" @@ -3127,11 +3096,18 @@ "operations": [ { "message type": "Authentication request", - "checks": [ + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -3141,8 +3117,8 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -3150,11 +3126,18 @@ "operations": [ { "message type": "Authentication request", - "checks": [ + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -3164,8 +3147,8 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -3173,11 +3156,18 @@ "operations": [ { "message type": "Authentication request", - "checks": [ + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.nonce", + "is present": "true" + } + ] } ] } @@ -3187,20 +3177,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.prompt", + "is present": "true" + } + ] } ] } @@ -3210,20 +3207,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.redirect_uri", + "is present": "true" + } + ] } ] } @@ -3233,20 +3237,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.response_type", + "is present": "true" + } + ] } ] } @@ -3256,20 +3267,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.scope", + "is present": "true" + } + ] } ] } @@ -3279,20 +3297,27 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.state", + "is present": "true" + } + ] } ] } @@ -3302,20 +3327,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.ui_locales", + "is present": "true" + } + ] } ] } @@ -3325,20 +3357,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } @@ -3348,20 +3387,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -3371,20 +3417,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -3394,20 +3447,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -3417,8 +3477,8 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" @@ -3426,11 +3486,18 @@ "operations": [ { "message type": "Token request", - "checks": [ + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -3440,8 +3507,8 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" @@ -3449,11 +3516,71 @@ "operations": [ { "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", "checks": [ { "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -3463,20 +3590,20 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Resolve Entity Statement response", "checks": [ { "in": "body", - "is present": true, - "check regex": "client_id" + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -3486,20 +3613,43 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Revocation request", "checks": [ { "in": "body", - "is present": true, - "check regex": "code" + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -3509,20 +3659,20 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Revocation request", "checks": [ { "in": "body", - "is present": true, - "check regex": "code_verifier" + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -3532,8 +3682,8 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ "s1" @@ -3544,8 +3694,8 @@ "checks": [ { "in": "body", - "is present": true, - "check regex": "grant_type" + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -3555,20 +3705,20 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Token request", "checks": [ { - "in": "body", - "is present": true, - "check regex": "token" + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -3578,8 +3728,8 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ "s1" @@ -3590,8 +3740,8 @@ "checks": [ { "in": "head", - "is present": true, - "check param": "Authorization" + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -3601,21 +3751,113 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter identifying the RP", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the value of the 'client_id' parameter correspond to the one that can be found in the EC of the RP", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.client_id", + "as": "client_id" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "contains": "client_id" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter set to the RP's client_id", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'iss' parameter has to be the client_id of the RP. If it is another value or is missing, than the RP is not compliant with the specifications", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_RP" + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.metadata.openid_relying_party.client_id", + "contains": "iss" + } + ] } ] } @@ -3625,21 +3867,55 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'redirect_uri' parameter matches one of the URLs given in the RP metadata.", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ + { + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.redirect_uri", + "as": "redirect_uris" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_core_RP" + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.metadata.openid_relying_party.redirect_uris", + "contains": "redirect_uris" + } + ] } ] } @@ -3649,20 +3925,55 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", - "type": "passive", + "name": "Does the RP Authentication Request's JWT contain a correct 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked. This parameter's value must be the same of the 'response_types_supported' parameter in the OP metadata", + "type": "active", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "url", + "decode param": "request", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.response_type", + "as": "response_types_supported" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.metadata.openid_relying_party.response_types[0]", + "contains": "response_types_supported" + } + ] } ] } @@ -3672,20 +3983,55 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", - "type": "passive", + "name": "Does the JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the RP", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.metadata.openid_relying_party.client_id", + "as": "client_id" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token request", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "client_id" + } + ] } ] } @@ -3695,20 +4041,55 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", - "type": "passive", + "name": "Does the issued JWT ID Token contain the 'aud' parameter in the Payload set to RP's 'client_id'", + "description": "The ID Token present in the Token Response is taken, the payload is base64url decoded, analyzed and the value of the 'aud' parameter in the Payload set to the RP's 'client_id'", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "saved_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Token response", + "decode operations": [ + { + "from": "body", + "decode param": "(?<=\"id_token\": \")[^\"]+", + "type": "jwt", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "$.aud[0]", + "contains": "saved_iss" + } + ] } ] } @@ -3833,75 +4214,8 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -3909,23 +4223,12 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -3967,114 +4270,6 @@ ], "result": "correct flow s1" } - }, - { - "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.acr_values", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.prompt", - "is in": [ - "consent", - "consent login" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.scope", - "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } } ] } \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json index a438b6a..52e6b5f 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/RP/All_RP_Passive.json @@ -5,6 +5,201 @@ "filter messages": true }, "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response RP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { "name": "Does the entity return a correct HTTP code in the EC response", @@ -53,29 +248,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", + "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types[0]", - "is in": [ - "automatic" - ] - } - ] + "in": "url", + "is present": true, + "check": "code_challenge" } ] } @@ -85,30 +271,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct grant_types claim", - "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", + "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", + "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types[0]", - "is in": [ - "authorization_code", - "refresh_token" - ] - } - ] + "in": "url", + "is present": true, + "check": "code_challenge_method" } ] } @@ -118,30 +294,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the RP insert the client ID in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "url", + "is present": true, + "check": "client_id" } ] } @@ -151,30 +317,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the RP insert the response type in the url of the request", + "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Authentication request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "url", + "is present": true, + "check": "response_type" } ] } @@ -184,30 +340,158 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the Introspection Request contain the client_assertion", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "client_assertion" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain the client_assertion_type", + "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "client_assertion_type" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain the client_assertion as a valid JWT", + "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "client_assertion" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain the client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "client_id" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request use HTTP POST", + "description": "The Introspection request made by the RP use HTTP POST", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "url", + "is present": true, + "check": "POST" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Introspection Request contain the token", + "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "type": "passive", + "sessions": [ + "s_CIE_introsp" + ], + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "token" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Revocation Request contain the client assertion", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" } ] } @@ -217,29 +501,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", + "name": "Does the Revocation Request contain the client_assertion_type", + "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is in": [ - "private_key_jwt" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -249,30 +524,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Revocation Request contain the client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is in": [ - "RSA-OAEP", - "RSA-OAEP-256" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -282,30 +547,20 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", + "name": "Does the Revocation Request contain the token for which the request is made", + "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is in": [ - "A128CBC-HS256", - "A256CBC-HS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -315,30 +570,43 @@ }, { "test": { - "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", + "name": "Does the token request contain the client_assertion", + "description": "The token request sent by the RP must contain client_assertion parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is in": [ - "RS256", - "RS512" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_assertion" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the token request contain the client_assertion_type", + "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Token request", + "checks": [ + { + "in": "body", + "is present": true, + "check regex": "client_assertion_type" } ] } @@ -348,29 +616,20 @@ }, { "test": { - "name": "Does the RP metadata contain in the 'response_types' the value 'code'", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", + "name": "Does the token request contain the client_id", + "description": "The token request sent by the RP must contain client_id parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.response_types[0]", - "is in": [ - "code" - ] - } - ] + "in": "body", + "is present": true, + "check regex": "client_id" } ] } @@ -380,21 +639,20 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the token request contain the code parameter", + "description": "The token request sent by the RP must contain code parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "checks": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "in": "body", + "is present": true, + "check regex": "code" } ] } @@ -404,27 +662,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_id' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", + "name": "Does the token request contain the code_verifier parameter", + "description": "The token request sent by the RP must contain code_verifier parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "code_verifier" } ] } @@ -434,27 +685,20 @@ }, { "test": { - "name": "Does the RP metadata contain the 'client_registration_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", + "name": "Does the token request contain the grant_type parameter", + "description": "The token request sent by the RP must contain grant_type parameter in the URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.client_registration_types", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "grant_type" } ] } @@ -464,27 +708,20 @@ }, { "test": { - "name": "Does the RP metadata contain the contacts claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP revoke the Token when the User logs out", + "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" - } - ] + "in": "body", + "is present": true, + "check regex": "token" } ] } @@ -494,27 +731,20 @@ }, { "test": { - "name": "Does the RP metadata contain the federation_resolve_endpoint claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP contain the Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "UserInfo request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" - } - ] + "in": "head", + "is present": true, + "check param": "Authorization" } ] } @@ -524,8 +754,8 @@ }, { "test": { - "name": "Does the RP metadata contain the grant_types claim", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" @@ -536,13 +766,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" + "check": "$.sub", + "is": "X_key_RP" } ] } @@ -554,8 +784,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'grant_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", + "name": "Does the RP metadata contain correct value of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", "type": "passive", "sessions": [ "s1" @@ -566,13 +796,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.grant_types", - "is present": "true" + "check": "$.metadata.openid_relying_party.client_id", + "is": "x_https_RP" } ] } @@ -584,25 +814,33 @@ }, { "test": { - "name": "Does the RP metadata contain the homepage_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.acr_values", + "is in": [ + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", + "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" + ] } ] } @@ -614,25 +852,28 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "is present": "true" + "check": "$.prompt", + "is in": [ + "consent", + "consent login" + ] } ] } @@ -644,25 +885,32 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", + "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", - "is present": "true" + "check": "$.scope", + "is in": [ + "openid", + "openid profile", + "openid email", + "openid offline_access", + "openid offline_access profile", + "openid offline_access email" + ] } ] } @@ -674,8 +922,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", + "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -692,7 +940,12 @@ { "in": "payload", "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is present": "true" + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -704,8 +957,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", + "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" @@ -721,8 +974,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is not in": [ + "RSA_1_5" + ] } ] } @@ -734,8 +989,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'jwks' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", + "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", "type": "passive", "sessions": [ "s1" @@ -751,8 +1006,13 @@ "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.jwks", - "is present": "true" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is not in": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -764,27 +1024,20 @@ }, { "test": { - "name": "Does the RP metadata contain the logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the Introspection Request contain correct type of client id of the RP making the request", + "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], - "operations": [ - { - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" - } - ] + "operations": [ + { + "message type": "Introspection request", + "checks": [ + { + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -794,27 +1047,20 @@ }, { "test": { - "name": "Does the RP metadata contain the organization_name claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", + "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", + "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" } ] } @@ -824,27 +1070,20 @@ }, { "test": { - "name": "Does the RP metadata contain the policy_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", + "name": "Does the client_id in the token request contain an HTTPS URL", + "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" - } - ] + "in": "body", + "check": "$", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" } ] } @@ -854,8 +1093,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", + "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", "type": "passive", "sessions": [ "s1" @@ -866,13 +1105,15 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.redirect_uris", - "is present": "true" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -884,26 +1125,22 @@ }, { "test": { - "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", + "name": "Does the token request contain a correct grant_type parameter", + "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ + "message type": "Token request", + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.signed_jwks_uri", - "is present": "true" - } + "in": "body", + "check regex": "(?<=grant_type=)([^&]+)", + "is in": [ + "authorization_code", + "refresh_token" ] } ] @@ -914,8 +1151,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -926,15 +1163,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", - "is present": "true" - } - ] + "jwt check sig": "X_key_RP" } ] } @@ -944,27 +1175,21 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", + "name": "Does the client_assertion in the token request have a correct signature", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is present": "true" - } - ] + "jwt check sig": "X_key_core_RP" } ] } @@ -974,8 +1199,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -986,13 +1211,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -1004,8 +1229,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1016,13 +1241,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1034,8 +1259,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter", - "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1046,13 +1271,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.response_types", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1064,8 +1289,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -1073,57 +1298,18 @@ "operations": [ { "message type": "Entity Configuration response RP", - "checks": [ - { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Resolve Entity Statement response", - "checks": [ - { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Introspection Request contain correct type token", - "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", - "type": "passive", - "sessions": [ - "s_CIE_introsp" - ], - "operations": [ - { - "message type": "Introspection request", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] } ] } @@ -1133,20 +1319,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client assertion", - "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + } + ] } ] } @@ -1156,20 +1349,27 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of token for which the request is made", - "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + } + ] } ] } @@ -1179,20 +1379,27 @@ }, { "test": { - "name": "Does the client_assertion in the token request contain a JWT", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", + "name": "Does the RP metadata contain correct type of 'client_id' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + } + ] } ] } @@ -1202,20 +1409,27 @@ }, { "test": { - "name": "Does the token request use HTTP POST", - "description": "The token request sent by the RP must be sent in HTTP POST", + "name": "Does the RP metadata contain correct type grant_types claim", + "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "POST", - "is present": "true" + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + } + ] } ] } @@ -1225,20 +1439,27 @@ }, { "test": { - "name": "Does the RP contain a valid Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", + "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", + "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "UserInfo request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "head", - "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + } + ] } ] } @@ -1248,8 +1469,8 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", + "name": "Does the RP metadata contain correct type logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", "type": "passive", "sessions": [ "s1" @@ -1260,15 +1481,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", - "not contains": [ - "RSA_1_5" - ] + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1280,8 +1499,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1297,8 +1516,8 @@ "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" } ] } @@ -1310,8 +1529,8 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain the 'response_types' parameter as a json", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", "type": "passive", "sessions": [ "s1" @@ -1322,13 +1541,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" } ] } @@ -1340,8 +1559,8 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the RP's entity configuration contain a correct trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", "type": "passive", "sessions": [ "s1" @@ -1358,7 +1577,7 @@ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" } ] } @@ -1370,25 +1589,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter greater than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'state' parameter must be at least 32 alphanumeric characters long. If it is not present or its length is less than 32 alphanumeric characters, then the RP is not compliant with the specifications", + "name": "Does the signed JWT assertion contain a correct aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"state\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"state\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" } ] } @@ -1400,25 +1619,25 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter longer than 32 characters", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'nonce' parameter must be at least 32 alphanumeric characters long.", + "name": "Does the signed JWT assertion contain a correct exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Token request", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"nonce\": {\"type\": \"string\", \"pattern\": \"^[\\u0020-\\u007E]{32,}$\"}}, \"required\": [\"nonce\"]}" + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1430,25 +1649,25 @@ }, { "test": { - "name": "Does the RP metadata contain correct type of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL", + "name": "Does the signed JWT assertion contain a correct iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", + "message type": "Token request", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode param": "(?<=client_assertion=)([^&]+)", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1460,8 +1679,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct type grant_types claim", - "description": "In this test the RP metadata are taken and the 'grant_types' parameter is a JSON array", + "name": "Does the RP metadata contain correct 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the value of the 'client_registration_types' parameter is 'automatic'", "type": "passive", "sessions": [ "s1" @@ -1472,13 +1691,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"grant_types\":{\"type\":\"array\"}}, \"requirement\":[\"grant_type\"]}" + "check": "$.metadata.openid_relying_party.client_registration_types[0]", + "is in": [ + "automatic" + ] } ] } @@ -1490,8 +1711,8 @@ }, { "test": { - "name": "Does the RP metadata contain 'grant_types' parameter with value of authorization_code or refresh_token", - "description": "In this test the RP metadata are taken and the type of the 'grant_types' parameter is checked.", + "name": "Does the RP metadata contain correct grant_types claim", + "description": "In this test the RP metadata are taken and the value of the 'grant_types' parameter contains 'authorization_code' and 'refresh_token'", "type": "passive", "sessions": [ "s1" @@ -1502,13 +1723,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"grant_types\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"enum\": [\"authorization_code\", \"refresh_token\"]}}},\"required\": [\"grant_types\"]}" + "check": "$.metadata.openid_relying_party.grant_types[0]", + "is in": [ + "authorization_code", + "refresh_token" + ] } ] } @@ -1520,8 +1744,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct type logo_uri claim", - "description": "In this test the RP metadata in the RP Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -1532,13 +1756,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^(https?://).*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -1550,8 +1777,8 @@ }, { "test": { - "name": "Does the RP metadata contain an HTTPS 'redirect_uris' parameter", - "description": "In this test the RP metadata are taken and the type of the 'redirect_uris' parameter is checked.", + "name": "Does the RP metadata contain correct 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" @@ -1562,13 +1789,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\",\"properties\": {\"redirect_uris\": {\"type\": \"array\",\"items\": {\"type\": \"string\",\"format\": \"uri\",\"pattern\": \"^https://.*$\"}}},\"required\": [\"redirect_uris\"]}" + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -1580,8 +1810,8 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the RP metadata contain correct 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1592,13 +1822,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -1610,8 +1843,8 @@ }, { "test": { - "name": "Does the RP metadata contain the 'response_types' parameter as a json", - "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array", + "name": "Does the RP metadata contain correct 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the value of the 'token_endpoint_auth_method' parameter is 'one_of': 'private_key_jwt'", "type": "passive", "sessions": [ "s1" @@ -1622,13 +1855,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"response_types\": {\"type\": \"array\"}}, \"required\": [\"response_types\"]}" + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", + "is in": [ + "private_key_jwt" + ] } ] } @@ -1640,8 +1875,8 @@ }, { "test": { - "name": "Does the RP's entity configuration contain a correct trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the trust_marks parameter is checked, it must be a JSON array", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -1652,13 +1887,16 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"array\"}}, \"required\": [\"trust_marks\"]}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", + "is in": [ + "RSA-OAEP", + "RSA-OAEP-256" + ] } ] } @@ -1670,25 +1908,28 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the aud. Its value must be an URL", + "name": "Does the RP metadata contain correct 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is ['A128CBC-HS256', 'A256CBC-HS512'].", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"aud\": {\"type\": \"array\", \"format\": \"uri-reference\"}}, \"required\": [\"aud\"]}" + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", + "is in": [ + "A128CBC-HS256", + "A256CBC-HS512" + ] } ] } @@ -1700,25 +1941,28 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the exp claim. Its value must be a timestap", + "name": "Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", + "is in": [ + "RS256", + "RS512" + ] } ] } @@ -1730,25 +1974,27 @@ }, { "test": { - "name": "Does the signed JWT assertion contain a correct iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking the iat claim. Its value must be a timestap", + "name": "Does the RP metadata contain in the 'response_types' the value 'code'", + "description": "In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "check": "$.metadata.openid_relying_party.response_types[0]", + "is in": [ + "code" + ] } ] } @@ -1760,8 +2006,8 @@ }, { "test": { - "name": "Does entity configuration RP contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the RP metadata contain the 'client_id' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1772,13 +2018,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_RP" + "check": "$.metadata.openid_relying_party.client_id", + "is present": "true" } ] } @@ -1790,8 +2036,8 @@ }, { "test": { - "name": "Does the RP metadata contain correct value of 'client_id' parameter", - "description": "In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL that uniquely identifies the RP", + "name": "Does the RP metadata contain the 'client_registration_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'client_registration_types' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1802,13 +2048,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.openid_relying_party.client_id", - "is": "x_https_RP" + "check": "$.metadata.openid_relying_party.client_registration_types", + "is present": "true" } ] } @@ -1820,22 +2066,26 @@ }, { "test": { - "name": "Does the token request contain a correct grant_type parameter", - "description": "The grant_type parameter in the URL of the token request sent by the RP must be set to authorization_code or to refresh_token. So in this test a token request is taken and the grant_type parameter is checked", + "name": "Does the RP metadata contain the contacts claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "check regex": "(?<=grant_type=)([^&]+)", - "is in": [ - "authorization_code", - "refresh_token" + "from": "body", + "decode regex": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.contacts", + "is present": "true" + } ] } ] @@ -1846,8 +2096,8 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the RP metadata contain the federation_resolve_endpoint claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the federation_resolve_endpoint claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1858,12 +2108,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -1876,8 +2126,8 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the RP metadata contain the grant_types claim", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1888,12 +2138,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.openid_relying_party.grant_types", "is present": "true" } ] @@ -1906,8 +2156,8 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the RP metadata contain the 'grant_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'grant_types' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1918,12 +2168,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.openid_relying_party.grant_types", "is present": "true" } ] @@ -1936,8 +2186,8 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the RP metadata contain the homepage_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the homepage_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" @@ -1948,12 +2198,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.homepage_uri", "is present": "true" } ] @@ -1966,8 +2216,8 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -1978,12 +2228,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_alg", "is present": "true" } ] @@ -1996,8 +2246,8 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the RP metadata contain the 'id_token_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2008,12 +2258,12 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.openid_relying_party.id_token_encrypted_response_enc", "is present": "true" } ] @@ -2026,24 +2276,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'id_token_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'id_token_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.acr_values", + "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", "is present": "true" } ] @@ -2056,24 +2306,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.metadata.openid_relying_party.jwks", "is present": "true" } ] @@ -2086,24 +2336,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'jwks' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'jwks' parameter is checked. If it is absent, than the RP is not compliant with the specification", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata.openid_relying_party.jwks", "is present": "true" } ] @@ -2116,24 +2366,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", - "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", + "name": "Does the RP metadata contain the logo_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the logo_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.client_id", + "check": "$.metadata.federation_entity.logo_uri", "is present": "true" } ] @@ -2146,24 +2396,24 @@ }, { "test": { - "name": "Does the JWT header of the Authentication Request contain the kid parameter", - "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", + "name": "Does the RP metadata contain the organization_name claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the organization_name claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { - "in": "header", - "check": "$.kid", + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", "is present": "true" } ] @@ -2176,24 +2426,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the policy_uri claim", + "description": "In this test the RP metadata in the RP Entity Configuration are taken and the presence of the policy_uri claim in the 'federation_entity' entity type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata.federation_entity.policy_uri", "is present": "true" } ] @@ -2206,24 +2456,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", + "name": "Does the RP metadata contain the 'redirect_uris' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'redirect_uris' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata.openid_relying_party.redirect_uris", "is present": "true" } ] @@ -2236,24 +2486,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", + "name": "Does the RP metadata contain the 'signed_jwks_uri' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'signed_jwks_uri' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.nonce", + "check": "$.metadata.openid_relying_party.signed_jwks_uri", "is present": "true" } ] @@ -2266,24 +2516,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", + "name": "Does the RP metadata contain the 'token_endpoint_auth_method' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'token_endpoint_auth_method' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.prompt", + "check": "$.metadata.openid_relying_party.token_endpoint_auth_method", "is present": "true" } ] @@ -2296,24 +2546,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.redirect_uri", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", "is present": "true" } ] @@ -2326,24 +2576,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", + "name": "Does the RP metadata contain the 'userinfo_encrypted_response_enc' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_encrypted_response_enc' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.response_type", + "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_enc", "is present": "true" } ] @@ -2356,24 +2606,24 @@ }, { "test": { - "name": "Does the RP Authentication Request contain the 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", + "name": "Does the RP metadata contain the 'userinfo_signed_response_alg' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.scope", + "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", "is present": "true" } ] @@ -2386,24 +2636,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", + "name": "Does the RP metadata contain the 'response_types' parameter", + "description": "In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.state", + "check": "$.metadata.openid_relying_party.response_types", "is present": "true" } ] @@ -2416,24 +2666,24 @@ }, { "test": { - "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Authentication request", + "message type": "Entity Configuration response RP", "decode operations": [ { - "from": "url", - "decode param": "request", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.ui_locales", + "check": "$.exp", "is present": "true" } ] @@ -2446,8 +2696,8 @@ }, { "test": { - "name": "Does the RP's entity configuration contain the trust_marks parameter", - "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -2463,7 +2713,7 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.iat", "is present": "true" } ] @@ -2476,24 +2726,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the aud claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.aud", + "check": "$.iss", "is present": "true" } ] @@ -2506,24 +2756,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the exp claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.jwks", "is present": "true" } ] @@ -2536,24 +2786,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the iat claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata", "is present": "true" } ] @@ -2566,24 +2816,24 @@ }, { "test": { - "name": "Does the JWT payload contain 'iss' claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "decode operations": [ { "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.sub", "is present": "true" } ] @@ -2596,24 +2846,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the jti claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", + "name": "Does the RP Authentication Request's JWT contain the 'acr_values' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jti", + "check": "$.acr_values", "is present": "true" } ] @@ -2626,24 +2876,24 @@ }, { "test": { - "name": "Does the signed JWT assertion contain the sub claim", - "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", + "name": "Does the RP Authentication Request's JWT contain the 'aud' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'aud' parameter is checked. If it missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Authentication request", "decode operations": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", + "from": "url", + "decode param": "request", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.aud", "is present": "true" } ] @@ -2656,8 +2906,8 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge' parameter is checked. If it is present, than the Authentication Request is using PKCE and is compliant with the specifications, otherwise it is not compliant.", + "name": "Does the RP Authentication Request's JWT contain the 'exp' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'exp' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" @@ -2665,11 +2915,18 @@ "operations": [ { "message type": "Authentication request", - "checks": [ + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -2679,8 +2936,8 @@ }, { "test": { - "name": "Does the RP's Authentication Request contain the 'code_challenge_method' parameter", - "description": "The Authentication request is taken and the presence of the 'code_challenge_method' parameter is checked. If it is not present, then the RP is not compliant with the specifications", + "name": "Does the RP Authentication Request's JWT contain the 'client_id' parameter", + "description": "In this test the request parameter of the Authentication Request is taken, the payload decrypted and the presence of the 'client_id' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2688,11 +2945,18 @@ "operations": [ { "message type": "Authentication request", - "checks": [ + "decode operations": [ { - "in": "url", - "is present": true, - "check": "code_challenge_method" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.client_id", + "is present": "true" + } + ] } ] } @@ -2702,8 +2966,8 @@ }, { "test": { - "name": "Does the RP insert the client ID in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked", + "name": "Does the JWT header of the Authentication Request contain the kid parameter", + "description": "In this test the request parameter of the Authentication Request is taken, and the presence of the 'kid' parameter is checked.", "type": "passive", "sessions": [ "s1" @@ -2711,11 +2975,18 @@ "operations": [ { "message type": "Authentication request", - "checks": [ + "decode operations": [ { - "in": "url", - "is present": true, - "check": "client_id" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "header", + "check": "$.kid", + "is present": "true" + } + ] } ] } @@ -2725,8 +2996,8 @@ }, { "test": { - "name": "Does the RP insert the response type in the url of the request", - "description": "In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked", + "name": "Does the RP Authentication Request's JWT contain the 'iat' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iat' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" @@ -2734,11 +3005,18 @@ "operations": [ { "message type": "Authentication request", - "checks": [ + "decode operations": [ { - "in": "url", - "is present": true, - "check": "response_type" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -2748,20 +3026,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'iss' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'iss' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -2771,20 +3056,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion_type", - "description": "The Introspection request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'nonce' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'nonce' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.nonce", + "is present": "true" + } + ] } ] } @@ -2794,20 +3086,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client_assertion as a valid JWT", - "description": "The Introspection request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", + "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'prompt' parameter is checked. If it is missing, than the RP is not compliant with the specifications", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.prompt", + "is present": "true" + } + ] } ] } @@ -2817,20 +3116,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'redirect_uri' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'redirect_uri' parameter", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.redirect_uri", + "is present": "true" + } + ] } ] } @@ -2840,20 +3146,27 @@ }, { "test": { - "name": "Does the Introspection Request use HTTP POST", - "description": "The Introspection request made by the RP use HTTP POST", + "name": "Does the RP Authentication Request's JWT contain the 'response_type' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'response_type' parameter is checked", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "url", - "is present": true, - "check": "POST" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.response_type", + "is present": "true" + } + ] } ] } @@ -2863,20 +3176,27 @@ }, { "test": { - "name": "Does the Introspection Request contain the token", - "description": "The Introspection request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the RP Authentication Request contain the 'scope' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'scope' parameter is checked.", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.scope", + "is present": "true" + } + ] } ] } @@ -2886,20 +3206,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client assertion", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'state' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'state' parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.state", + "is present": "true" + } + ] } ] } @@ -2909,20 +3236,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_assertion_type", - "description": "The Revocation request made by the RP is taken and the presence of the client_assertion_type parameter is checked.", + "name": "Does the RP Authentication Request's JWT contain the 'ui_locales' parameter", + "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'ui_locales' parameter is checked. If it is missing, the RP is not compliant with the specifications", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Authentication request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "url", + "decode param": "request", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.ui_locales", + "is present": "true" + } + ] } ] } @@ -2932,20 +3266,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the presence of the client_id parameter is checked.", + "name": "Does the RP's entity configuration contain the trust_marks parameter", + "description": "To accomplish this test, the Entity configuration of the RP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Entity Configuration response RP", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.trust_marks", + "is present": "true" + } + ] } ] } @@ -2955,20 +3296,27 @@ }, { "test": { - "name": "Does the Revocation Request contain the token for which the request is made", - "description": "The Revocation request made by the RP is taken and the presence of the token parameter is checked.", + "name": "Does the signed JWT assertion contain the aud claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the aud claim is present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", - "checks": [ + "message type": "Token request", + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "token" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.aud", + "is present": "true" + } + ] } ] } @@ -2978,8 +3326,8 @@ }, { "test": { - "name": "Does the token request contain the client_assertion", - "description": "The token request sent by the RP must contain client_assertion parameter in the URL", + "name": "Does the signed JWT assertion contain the exp claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the exp claim is present", "type": "passive", "sessions": [ "s1" @@ -2987,11 +3335,18 @@ "operations": [ { "message type": "Token request", - "checks": [ + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -3001,8 +3356,8 @@ }, { "test": { - "name": "Does the token request contain the client_assertion_type", - "description": "The token request sent by the RP must contain client_assertion_type parameter in the URL", + "name": "Does the signed JWT assertion contain the iat claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iat claim is present.", "type": "passive", "sessions": [ "s1" @@ -3010,11 +3365,18 @@ "operations": [ { "message type": "Token request", - "checks": [ + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_assertion_type" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -3024,8 +3386,8 @@ }, { "test": { - "name": "Does the token request contain the client_id", - "description": "The token request sent by the RP must contain client_id parameter in the URL", + "name": "Does the JWT payload contain 'iss' claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the iss claim is present.", "type": "passive", "sessions": [ "s1" @@ -3033,11 +3395,18 @@ "operations": [ { "message type": "Token request", - "checks": [ + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "client_id" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -3047,8 +3416,8 @@ }, { "test": { - "name": "Does the token request contain the code parameter", - "description": "The token request sent by the RP must contain code parameter in the URL", + "name": "Does the signed JWT assertion contain the jti claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the jti claim is present.", "type": "passive", "sessions": [ "s1" @@ -3056,11 +3425,18 @@ "operations": [ { "message type": "Token request", - "checks": [ + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jti", + "is present": "true" + } + ] } ] } @@ -3070,8 +3446,8 @@ }, { "test": { - "name": "Does the token request contain the code_verifier parameter", - "description": "The token request sent by the RP must contain code_verifier parameter in the URL", + "name": "Does the signed JWT assertion contain the sub claim", + "description": "This test can be performed by taking the JWT present in the 'client_assertion' field of the RP's request, base64url decoding the payload and checking if the sub claim is present.", "type": "passive", "sessions": [ "s1" @@ -3079,11 +3455,18 @@ "operations": [ { "message type": "Token request", - "checks": [ + "decode operations": [ { - "in": "body", - "is present": true, - "check regex": "code_verifier" + "from": "body", + "decode param": "(?<=client_assertion=)([^&]+)", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] } ] } @@ -3093,20 +3476,20 @@ }, { "test": { - "name": "Does the token request contain the grant_type parameter", - "description": "The token request sent by the RP must contain grant_type parameter in the URL", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "Entity Configuration response RP", "checks": [ { "in": "body", - "is present": true, - "check regex": "grant_type" + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -3116,20 +3499,20 @@ }, { "test": { - "name": "Does the RP revoke the Token when the User logs out", - "description": "In order to test if the RP really revokes an access token on logout, a classic authentication flow is computed and, once obtained the token and used, a logout is performed. After this, the requests made by the RP must be analyzed and there has to be a request to the OP's revocation endpoint for only the access token", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Resolve Entity Statement response", "checks": [ { "in": "body", - "is present": true, - "check regex": "token" + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -3139,20 +3522,20 @@ }, { "test": { - "name": "Does the RP contain the Access Token in the UserInfo request", - "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token", + "name": "Does the Introspection Request contain correct type token", + "description": "The Introspection request made by the RP is taken and the type of the token parameter is a JWT", "type": "passive", "sessions": [ - "s1" + "s_CIE_introsp" ], "operations": [ { - "message type": "UserInfo request", + "message type": "Introspection request", "checks": [ { - "in": "head", - "is present": true, - "check param": "Authorization" + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -3162,21 +3545,20 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the Revocation Request contain correct type of client assertion", + "description": "The Revocation request made by the RP is taken and the value of the client_assertion parameter is a signed JWT structure", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "jwt check sig": "X_key_RP" + "message type": "Revocation request", + "checks": [ + { + "in": "body", + "check regex": "client_assertion=([\\w]+)\\.([\\w]+)\\.([\\w\\-]*)(?:&|$)", + "is present": "true" } ] } @@ -3186,21 +3568,20 @@ }, { "test": { - "name": "Does the client_assertion in the token request have a correct signature", - "description": "The client_assertion parameter in the token request sent by the RP must be a JWT with a signature", + "name": "Does the Revocation Request contain correct type of token for which the request is made", + "description": "The Revocation request made by the RP is taken and the value of the token parameter is a JWT.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", - "decode operations": [ + "message type": "Revocation request", + "checks": [ { - "from": "body", - "decode param": "(?<=client_assertion=)([^&]+)", - "type": "jwt", - "jwt check sig": "X_key_core_RP" + "in": "body", + "check regex": "token=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -3210,20 +3591,20 @@ }, { "test": { - "name": "Does the Introspection Request contain correct type of client id of the RP making the request", - "description": "The Introspection request made by the RP is taken and the value of the client_id parameter is an URI", + "name": "Does the client_assertion in the token request contain a JWT", + "description": "The client_assertion parameter in the token request sent by the RP must be a JWT", "type": "passive", "sessions": [ - "s_CIE_introsp" + "s1" ], "operations": [ { - "message type": "Introspection request", + "message type": "Token request", "checks": [ { "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "check regex": "client_assertion=([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)(?:&|$)", + "is present": "true" } ] } @@ -3233,20 +3614,20 @@ }, { "test": { - "name": "Does the Revocation Request contain correct type of client_id of the RP making the request", - "description": "The Revocation request made by the RP is taken and the value of the client_id parameter is an URI that identifies the RP", + "name": "Does the token request use HTTP POST", + "description": "The token request sent by the RP must be sent in HTTP POST", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Revocation request", + "message type": "Token request", "checks": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]}" + "in": "head", + "check regex": "POST", + "is present": "true" } ] } @@ -3256,20 +3637,20 @@ }, { "test": { - "name": "Does the client_id in the token request contain an HTTPS URL", - "description": "The client_id parameter in the URL of the token request is taken and checked to be an HTTPS URL", + "name": "Does the RP contain a valid Access Token in the UserInfo request", + "description": "The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Token request", + "message type": "UserInfo request", "checks": [ { - "in": "body", - "check": "$", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"client_id\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://\"}},\"required\":[\"client_id\"]})" + "in": "head", + "check regex": "Authorization:\\s?Bearer\\s?([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -3394,75 +3775,8 @@ }, { "test": { - "name": "Does the RP metadata contain incorrect 'id_token_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'id_token_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.id_token_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_encrypted_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_encrypted_response_alg' parameter is checked. It must not contain the value ['RSA_1_5'].", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response RP", - "decode operations": [ - { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_encrypted_response_alg", - "is not in": [ - "RSA_1_5" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter", - "description": "In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" @@ -3470,23 +3784,12 @@ "operations": [ { "message type": "Entity Configuration response RP", - "decode operations": [ + "checks": [ { - "from": "body", - "decode regex": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.openid_relying_party.userinfo_signed_response_alg", - "is not in": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } @@ -3528,114 +3831,6 @@ ], "result": "correct flow s1" } - }, - { - "test": { - "name": "Does the RP Authentication Request's JWT contain a correct 'acr_values' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the presence of the 'acr_values' parameter is checked. If it is present, than it must be a string with the requested 'acr' values, each of them separated by a single space. The supported values are 'https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2' and 'https://www.spid.gov.it/SpidL3'. If it contains other values or it is missing, than the RP is not compliant with the specifications", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.acr_values", - "is in": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3", - "https://www.spid.gov.it/SpidL1 https://www.spid.gov.it/SpidL2 https://www.spid.gov.it/SpidL3" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP Authentication Request's JWT contain the 'prompt' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the 'prompt' parameter is checked. It must be set to the value 'consent' or 'consent login'. If it contains other values or it is missing, than the RP is not compliant with the specifications", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.prompt", - "is in": [ - "consent", - "consent login" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the RP Authentication Request contain a correct value in 'scope' parameter", - "description": "The Authentication request is taken, the JWT Token in the request parameter base64url decoded and the value of the 'scope' parameter must be set to the value 'openid' then it can (optionally) have the values 'offline_access', 'profile' or 'email' appended.", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "decode param": "request", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.scope", - "is in": [ - "openid", - "openid profile", - "openid email", - "openid offline_access", - "openid offline_access profile", - "openid offline_access email" - ] - } - ] - } - ] - } - ], - "result": "correct flow s1" - } } ] } \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-correct-content-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-correct-content-type.json new file mode 100644 index 0000000..4a1e767 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-correct-content-type.json @@ -0,0 +1,33 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-correct-http-code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-correct-http-code.json new file mode 100644 index 0000000..4df58c8 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-correct-http-code.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-exp-type.json new file mode 100644 index 0000000..128356f --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-exp-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-exp.json new file mode 100644 index 0000000..729de44 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-exp.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-exposed.json new file mode 100644 index 0000000..a08eb4e --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-exposed.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-iat-type.json new file mode 100644 index 0000000..432fcf1 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-iat-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-iat.json new file mode 100644 index 0000000..fa9e073 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-iat.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-iss.json new file mode 100644 index 0000000..e1c3697 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-iss.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-issue.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-issue.json new file mode 100644 index 0000000..2bba92a --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-issue.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-jwks.json new file mode 100644 index 0000000..34254ab --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-jwks.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-federation_entity-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-federation_entity-once.json new file mode 100644 index 0000000..3233888 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-federation_entity-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json new file mode 100644 index 0000000..becccfb --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-oauth_resource-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-oauth_resource-once.json new file mode 100644 index 0000000..62828a7 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-oauth_resource-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-openid_provider-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-openid_provider-once.json new file mode 100644 index 0000000..4183965 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-openid_provider-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-openid_relying_party-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-openid_relying_party-once.json new file mode 100644 index 0000000..a970f6d --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-openid_relying_party-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-type.json new file mode 100644 index 0000000..165493c --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-metadata-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-value.json similarity index 59% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-metadata-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-value.json index 660bbe2..424b900 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-metadata-value.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata-value.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -25,7 +25,7 @@ { "in": "payload", "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata.json new file mode 100644 index 0000000..b2c97ab --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-metadata.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-sub-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-sub-value.json similarity index 90% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-sub-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-sub-value.json index bf9ec5d..7360a88 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Configuration response-sub-value.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-sub-value.json @@ -7,7 +7,7 @@ "tests": [ { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", + "name": "Does entity configuration OP contain a correct sub parameter", "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ @@ -25,7 +25,7 @@ { "in": "payload", "check": "$.sub", - "is": "X_url_SA" + "is": "X_key_SA" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-sub.json new file mode 100644 index 0000000..fd1685d --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Entity Configuration response-sub.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Resolve Entity Statement endpoint response-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Resolve Entity Statement endpoint response-exposed.json new file mode 100644 index 0000000..2fb4169 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/ALL-Resolve Entity Statement endpoint response-exposed.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json index 8120cab..361132e 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA.json @@ -5,6 +5,201 @@ "filter messages": true }, "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { "name": "Does the entity return a correct HTTP code in the EC response", @@ -53,32 +248,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response SA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -99,11 +270,8 @@ "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -112,22 +280,20 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -137,15 +303,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -154,15 +317,13 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -179,12 +340,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "claims", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -198,8 +359,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -220,8 +381,8 @@ "checks": [ { "in": "payload", - "check": "email", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -235,8 +396,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -253,12 +414,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "exp", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -272,8 +433,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -294,8 +455,8 @@ "checks": [ { "in": "payload", - "check": "iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -309,8 +470,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -331,8 +492,8 @@ "checks": [ { "in": "payload", - "check": "id", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -346,8 +507,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -368,8 +529,8 @@ "checks": [ { "in": "payload", - "check": "id_code", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -383,8 +544,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -405,8 +566,8 @@ "checks": [ { "in": "payload", - "check": "iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -420,8 +581,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -442,8 +603,8 @@ "checks": [ { "in": "payload", - "check": "logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -457,8 +618,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -475,12 +636,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -494,8 +655,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -516,8 +677,8 @@ "checks": [ { "in": "payload", - "check": "organization_type", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -531,8 +692,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -549,12 +710,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -568,8 +729,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -590,8 +751,8 @@ "checks": [ { "in": "payload", - "check": "ref", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -605,8 +766,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -627,8 +788,8 @@ "checks": [ { "in": "payload", - "check": "sa_profile", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -642,8 +803,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -664,8 +825,8 @@ "checks": [ { "in": "payload", - "check": "service_documentation", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -679,8 +840,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -701,8 +862,8 @@ "checks": [ { "in": "payload", - "check": "sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -716,15 +877,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -738,8 +899,8 @@ "checks": [ { "in": "payload", - "check": "tos_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -753,8 +914,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -771,12 +932,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "claims", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -790,8 +951,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -808,12 +969,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "email", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -827,8 +988,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -849,8 +1010,8 @@ "checks": [ { "in": "payload", - "check": "exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -864,8 +1025,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -882,12 +1043,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "iat", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -901,8 +1062,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -923,8 +1084,8 @@ "checks": [ { "in": "payload", - "check": "id", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -938,8 +1099,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -960,8 +1121,8 @@ "checks": [ { "in": "payload", - "check": "id_code", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -975,8 +1136,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -997,8 +1158,8 @@ "checks": [ { "in": "payload", - "check": "iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -1012,8 +1173,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -1034,8 +1195,8 @@ "checks": [ { "in": "payload", - "check": "logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -1049,8 +1210,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -1071,8 +1232,8 @@ "checks": [ { "in": "payload", - "check": "organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -1086,8 +1247,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1104,12 +1265,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "organization_type", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -1123,8 +1284,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -1145,8 +1306,8 @@ "checks": [ { "in": "payload", - "check": "policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -1160,8 +1321,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1178,12 +1339,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "ref", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -1197,8 +1358,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -1219,8 +1380,8 @@ "checks": [ { "in": "payload", - "check": "sa_profile", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -1234,8 +1395,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -1256,8 +1417,8 @@ "checks": [ { "in": "payload", - "check": "service_documentation", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -1271,8 +1432,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -1293,8 +1454,8 @@ "checks": [ { "in": "payload", - "check": "sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -1308,8 +1469,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -1330,8 +1491,8 @@ "checks": [ { "in": "payload", - "check": "tos_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -1345,111 +1506,140 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] - }, + } + ], + "result": [ + "s1" + ] + } + }, + { + "test": { + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "in": "payload", + "check": "$.sub", + "is": "X_key_SA" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_SA" } ] } @@ -1461,25 +1651,26 @@ }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_SA" } ] } @@ -1491,8 +1682,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -1503,15 +1694,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1521,27 +1706,21 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1551,27 +1730,21 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1581,8 +1754,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -1593,13 +1766,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -1611,8 +1784,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1623,13 +1796,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1641,8 +1814,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1653,13 +1826,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1671,8 +1844,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -1683,13 +1856,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1701,8 +1874,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -1713,13 +1886,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1731,8 +1904,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" @@ -1740,11 +1913,18 @@ "operations": [ { "message type": "Entity Configuration response SA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + } + ] } ] } @@ -1754,20 +1934,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -1777,20 +1964,27 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -1800,20 +1994,27 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -1823,8 +2024,8 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -1832,11 +2033,18 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -1846,48 +2054,25 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ - { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -1899,25 +2084,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -1929,25 +2121,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -1959,25 +2158,32 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -1989,25 +2195,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -2019,25 +2232,32 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -2049,8 +2269,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2061,13 +2281,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -2079,8 +2306,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -2091,13 +2318,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -2109,25 +2343,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2139,25 +2380,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2169,25 +2417,32 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2199,8 +2454,8 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -2211,45 +2466,57 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" - } - ] - } - ] - } + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] + } + ] + } ], "result": "correct flow s1" } }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2261,25 +2528,32 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -2291,25 +2565,32 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2321,25 +2602,32 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2351,25 +2639,32 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2381,25 +2676,32 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -2411,25 +2713,32 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -2441,25 +2750,32 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -2471,25 +2787,32 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -2501,25 +2824,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -2531,25 +2861,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -2561,25 +2898,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -2591,25 +2935,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2621,25 +2972,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2651,25 +3009,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2681,25 +3046,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -2711,25 +3083,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2741,8 +3120,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" @@ -2753,13 +3132,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -2771,8 +3157,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -2783,13 +3169,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2801,8 +3194,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -2813,13 +3206,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2831,8 +3231,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -2843,13 +3243,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2861,24 +3268,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -2891,24 +3298,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -2921,24 +3328,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -2951,24 +3358,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -2981,8 +3388,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" @@ -2993,9 +3400,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" + } + ] } ] } @@ -3005,21 +3418,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" + } + ] } ] } @@ -3029,21 +3448,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" + } + ] } ] } @@ -3053,32 +3478,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -3090,32 +3508,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -3127,32 +3538,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -3164,32 +3568,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -3201,32 +3598,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -3238,32 +3628,25 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -3275,32 +3658,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -3312,32 +3688,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -3349,32 +3718,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -3386,8 +3748,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3398,20 +3760,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -3423,8 +3778,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3435,20 +3790,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -3460,8 +3808,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3472,20 +3820,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -3497,8 +3838,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3509,20 +3850,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -3534,8 +3868,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3546,20 +3880,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -3571,8 +3898,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3583,20 +3910,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -3608,8 +3928,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3620,20 +3940,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -3645,8 +3958,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3657,20 +3970,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -3682,8 +3988,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3694,20 +4000,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -3719,8 +4018,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3731,20 +4030,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -3756,8 +4048,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3768,20 +4060,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -3793,8 +4078,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3805,20 +4090,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -3830,8 +4108,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3842,20 +4120,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -3867,8 +4138,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3879,20 +4150,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -3904,8 +4168,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3916,20 +4180,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -3941,8 +4198,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3953,20 +4210,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -3978,34 +4228,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4015,34 +4251,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -4052,34 +4274,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -4089,34 +4297,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4126,8 +4320,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -4135,25 +4329,11 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "decode operations": [ + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4163,34 +4343,20 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4200,32 +4366,53 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -4237,32 +4424,53 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -4274,34 +4482,21 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json index 8120cab..361132e 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/All_SA_Passive.json @@ -5,6 +5,201 @@ "filter messages": true }, "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response SA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { "name": "Does the entity return a correct HTTP code in the EC response", @@ -53,32 +248,8 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response SA", - "checks": [ - { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" @@ -99,11 +270,8 @@ "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -112,22 +280,20 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the Trust Mark contain correct value for organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "name": "Does the Trust Mark contain the correct type of email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", @@ -137,15 +303,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "organization_type", - "is in": [ - "public", - "private" - ] + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -154,15 +317,13 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -179,12 +340,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "claims", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -198,8 +359,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -220,8 +381,8 @@ "checks": [ { "in": "payload", - "check": "email", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -235,8 +396,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -253,12 +414,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "exp", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -272,8 +433,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -294,8 +455,8 @@ "checks": [ { "in": "payload", - "check": "iat", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -309,8 +470,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -331,8 +492,8 @@ "checks": [ { "in": "payload", - "check": "id", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -346,8 +507,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -368,8 +529,8 @@ "checks": [ { "in": "payload", - "check": "id_code", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -383,8 +544,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -405,8 +566,8 @@ "checks": [ { "in": "payload", - "check": "iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -420,8 +581,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -442,8 +603,8 @@ "checks": [ { "in": "payload", - "check": "logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -457,8 +618,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -475,12 +636,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -494,8 +655,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -516,8 +677,8 @@ "checks": [ { "in": "payload", - "check": "organization_type", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -531,8 +692,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -549,12 +710,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -568,8 +729,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -590,8 +751,8 @@ "checks": [ { "in": "payload", - "check": "ref", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -605,8 +766,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -627,8 +788,8 @@ "checks": [ { "in": "payload", - "check": "sa_profile", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -642,8 +803,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -664,8 +825,8 @@ "checks": [ { "in": "payload", - "check": "service_documentation", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -679,8 +840,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -701,8 +862,8 @@ "checks": [ { "in": "payload", - "check": "sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -716,15 +877,15 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", @@ -738,8 +899,8 @@ "checks": [ { "in": "payload", - "check": "tos_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" } ] } @@ -753,8 +914,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -771,12 +932,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "claims", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " } ] } @@ -790,8 +951,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -808,12 +969,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "email", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" } ] } @@ -827,8 +988,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -849,8 +1010,8 @@ "checks": [ { "in": "payload", - "check": "exp", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" } ] } @@ -864,8 +1025,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -882,12 +1043,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "iat", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" } ] } @@ -901,8 +1062,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", + "name": "Does the Trust Mark contain correcty type of id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -923,8 +1084,8 @@ "checks": [ { "in": "payload", - "check": "id", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" } ] } @@ -938,8 +1099,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", "type": "passive", "sessions": [ "s1" @@ -960,8 +1121,8 @@ "checks": [ { "in": "payload", - "check": "id_code", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" } ] } @@ -975,8 +1136,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", + "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -997,8 +1158,8 @@ "checks": [ { "in": "payload", - "check": "iss", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" } ] } @@ -1012,8 +1173,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -1034,8 +1195,8 @@ "checks": [ { "in": "payload", - "check": "logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" } ] } @@ -1049,8 +1210,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the Trust Mark contain correct type of logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", "type": "passive", "sessions": [ "s1" @@ -1071,8 +1232,8 @@ "checks": [ { "in": "payload", - "check": "organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" } ] } @@ -1086,8 +1247,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1104,12 +1265,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "organization_type", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" } ] } @@ -1123,8 +1284,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -1145,8 +1306,8 @@ "checks": [ { "in": "payload", - "check": "policy_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" } ] } @@ -1160,8 +1321,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -1178,12 +1339,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", + "decode param": "$.trust_marks.trust_mark", "checks": [ { "in": "payload", - "check": "ref", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" } ] } @@ -1197,8 +1358,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" @@ -1219,8 +1380,8 @@ "checks": [ { "in": "payload", - "check": "sa_profile", - "is present": "true" + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" } ] } @@ -1234,8 +1395,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -1256,8 +1417,8 @@ "checks": [ { "in": "payload", - "check": "service_documentation", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" } ] } @@ -1271,8 +1432,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", "type": "passive", "sessions": [ "s1" @@ -1293,8 +1454,8 @@ "checks": [ { "in": "payload", - "check": "sub", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" } ] } @@ -1308,8 +1469,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", "type": "passive", "sessions": [ "s1" @@ -1330,8 +1491,8 @@ "checks": [ { "in": "payload", - "check": "tos_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" } ] } @@ -1345,111 +1506,140 @@ }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response SA OP", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", "type": "jwt", - "edits": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] - }, + } + ], + "result": [ + "s1" + ] + } + }, + { + "test": { + "name": "Does the Trust Mark contain correct value for organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim can be 'public' or 'private'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is in": [ + "public", + "private" + ] + } + ] } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", - "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", - "type": "active", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { - "from": "url", - "decode param": "client_assertion", + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "edits": [ + "checks": [ { - "jwt from": "payload", - "jwt save": "$.iss", - "as": "conf_iss" + "in": "payload", + "check": "$.sub", + "is": "X_key_SA" } ] } ] - }, + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "use variable": "true", - "in": "payload", - "check": "$.iss", - "contains": "conf_iss" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_SA" } ] } @@ -1461,25 +1651,26 @@ }, { "test": { - "name": "Does the SA's metadata contain the contacts parameter", - "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA correctly sign the Trust marks", + "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "jwt check sig": "X_key_SA" } ] } @@ -1491,8 +1682,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" @@ -1503,15 +1694,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1521,27 +1706,21 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_list_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1551,27 +1730,21 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the SA correctly signs the Entity Statement", + "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" - } - ] + "jwt check sig": "X_key_SA" } ] } @@ -1581,8 +1754,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -1593,13 +1766,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -1611,8 +1784,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the homepage_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1623,13 +1796,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -1641,8 +1814,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the logo_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -1653,13 +1826,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -1671,8 +1844,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the organization_name parameter", - "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" @@ -1683,13 +1856,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -1701,8 +1874,8 @@ }, { "test": { - "name": "Does the SA's metadata contain the policy_uri parameter", - "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" @@ -1713,13 +1886,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -1731,8 +1904,8 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", "type": "passive", "sessions": [ "s1" @@ -1740,11 +1913,18 @@ "operations": [ { "message type": "Entity Configuration response SA", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + } + ] } ] } @@ -1754,20 +1934,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -1777,20 +1964,27 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response SA OP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -1800,20 +1994,27 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does Entity Statements issued by the SA contain a correct exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", - "checks": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] } ] } @@ -1823,8 +2024,8 @@ }, { "test": { - "name": "Does the SA correctly release the Entity statements", - "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does Entity Statements issued by the SA contain a correct iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", "type": "passive", "sessions": [ "s1" @@ -1832,11 +2033,18 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] } ] } @@ -1846,48 +2054,25 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the SA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response SA RP", - "checks": [ - { - "in": "body", - "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" - } - ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ - { - "message type": "Entity Configuration response SA", - "decode operations": [ + "message type": "Entity Statement response SA RP", + "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "check": "$.metadata_policy.openid_relying_party.jwks", + "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" } ] } @@ -1899,25 +2084,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -1929,25 +2121,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -1959,25 +2158,32 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -1989,25 +2195,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -2019,25 +2232,32 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain a correct trust_marks parameter", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_marks\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_marks\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -2049,8 +2269,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -2061,13 +2281,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -2079,8 +2306,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -2091,13 +2318,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -2109,25 +2343,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the exp parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2139,25 +2380,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain a correct iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response is base64url decoded and once obtained the decrypted Payload, the the iat parameter is checked. It must be a timestamp", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2169,25 +2417,32 @@ }, { "test": { - "name": "Does the SA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the SA, an entity statement for an RP must be fetched in the SA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.jwks", - "json schema compliant": "{\"type\":\"object\", \"properties\": {\"value\" :{}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2199,8 +2454,8 @@ }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -2211,45 +2466,57 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" - } - ] - } - ] - } + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] + } + ] + } + ] + } ], "result": "correct flow s1" } }, { "test": { - "name": "Does the SA correctly sign the Trust marks", - "description": "To accomplish this test, an entity statement issued by the SA is taken, and the trust marks in it are taken. The three parts of the JWT (header, payload and signature) composing the trust marks are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", + "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2261,25 +2528,32 @@ }, { "test": { - "name": "Does entity configuration SA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is": "X_url_SA" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -2291,25 +2565,32 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2321,25 +2602,32 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2351,25 +2639,32 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2381,25 +2676,32 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] } ] } @@ -2411,25 +2713,32 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] } ] } @@ -2441,25 +2750,32 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] } ] } @@ -2471,25 +2787,32 @@ }, { "test": { - "name": "Does the entity configuration of the SA contain the trust marks", - "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response SA", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] } ] } @@ -2501,25 +2824,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the Trust Mark contain the id claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -2531,25 +2861,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the Trust Mark contain the id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -2561,25 +2898,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -2591,25 +2935,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -2621,25 +2972,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.jwks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -2651,25 +3009,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -2681,25 +3046,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.sub", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -2711,25 +3083,32 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Statement response SA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.trust_marks", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -2741,8 +3120,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the constraints parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" @@ -2753,13 +3132,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.constraints", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -2771,8 +3157,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the exp parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -2783,13 +3169,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.exp", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -2801,8 +3194,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iat parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the Trust Mark contain the sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -2813,13 +3206,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iat", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] } ] } @@ -2831,8 +3231,8 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the iss parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked", "type": "passive", "sessions": [ "s1" @@ -2843,13 +3243,20 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.iss", - "is present": "true" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -2861,24 +3268,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the jwks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the SA's metadata contain the contacts parameter", + "description": "In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata.federation_entity.contacts", "is present": "true" } ] @@ -2891,24 +3298,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the SA's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata.federation_entity.federation_fetch_endpoint", "is present": "true" } ] @@ -2921,24 +3328,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the sub parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the SA's metadata contain the federation_list_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata.federation_entity.federation_list_endpoint", "is present": "true" } ] @@ -2951,24 +3358,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", - "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the SA's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata.federation_entity.federation_resolve_endpoint", "is present": "true" } ] @@ -2981,8 +3388,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does the SA's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the SA metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" @@ -2993,9 +3400,15 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" + } + ] } ] } @@ -3005,21 +3418,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the SA's metadata contain the homepage_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" + } + ] } ] } @@ -3029,21 +3448,27 @@ }, { "test": { - "name": "Does the SA correctly signs the Entity Statement", - "description": "In order to validate the signature of an Entity statement issued by an SA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the Entity Statement of the SA issued from the TA), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does the SA's metadata contain the logo_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_SA" + "checks": [ + { + "in": "payload", + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" + } + ] } ] } @@ -3053,32 +3478,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does the SA's metadata contain the organization_name parameter", + "description": "In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -3090,32 +3508,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the SA's metadata contain the policy_uri parameter", + "description": "In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", - "type": "jwt", "decode regex": "[^\\r\\n]*", - "decode operations": [ + "type": "jwt", + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "in": "payload", + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -3127,32 +3538,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -3164,32 +3568,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -3201,32 +3598,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -3238,32 +3628,25 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -3275,32 +3658,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -3312,32 +3688,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -3349,32 +3718,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the entity configuration of the SA contain the trust marks", + "description": "The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA OP", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -3386,8 +3748,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3398,20 +3760,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -3423,8 +3778,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3435,20 +3790,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -3460,8 +3808,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3472,20 +3820,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -3497,8 +3838,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3509,20 +3850,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -3534,8 +3868,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3546,20 +3880,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -3571,8 +3898,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3583,20 +3910,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -3608,8 +3928,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3620,20 +3940,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -3645,8 +3958,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3657,20 +3970,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -3682,8 +3988,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim is checked to be a list", + "name": "Does Entity Statements issued by the SA contain the constraints parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3694,20 +4000,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -3719,8 +4018,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the exp parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3731,20 +4030,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -3756,8 +4048,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the iat parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3768,20 +4060,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -3793,8 +4078,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number or vat_number claim in the id_code is checked", + "name": "Does Entity Statements issued by the SA contain the iss parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3805,20 +4090,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -3830,8 +4108,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the SA contain the jwks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3842,20 +4120,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -3867,8 +4138,8 @@ }, { "test": { - "name": "Does the Trust Mark contain correcty type of id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim must be a JSON Object", + "name": "Does Entity Statements issued by the SA contain the metadata_policy parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -3879,20 +4150,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -3904,8 +4168,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the id_code claim contains at least the value 'ipa_code'", + "name": "Does Entity Statements issued by the SA contain the sub parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3916,20 +4180,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -3941,8 +4198,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by an SA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does Entity Statements issued by the SA contain the trust_marks parameter", + "description": "In order to check if the SA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the SA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -3953,20 +4210,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -3978,34 +4228,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the iss claim in it is checked. Its value has to be an URL", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iss\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"iss\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4015,34 +4251,20 @@ }, { "test": { - "name": "Does the Trust Mark contain correct type of logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim is an URL", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"logo_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -4052,34 +4274,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^\\{(\\s*\"[^\"]*\"\\s*:\\s*(?:\"[^\"]*\",?|\\[[^\\r\\n]*\\],?|\\{[^\\r\\n]*\\},?)\\s*)*\\}$", + "is present": "true" } ] } @@ -4089,34 +4297,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the policy_uri claim in it is checked. Its value has to be an URL", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Statement response SA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"policy_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4126,8 +4320,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the SA correctly release the Entity statements", + "description": "After a correct onboarding with the SA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the SA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -4135,25 +4329,11 @@ "operations": [ { "message type": "Entity Statement response SA RP", - "decode operations": [ + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks.trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4163,34 +4343,20 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response SA RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"sa_profile\": { \"type \": \u00a0\"string \", \"enum \": [ \"full \", \u00a0\"light \"]}}, \"required \": [ \"sa_profile \"]}" - } - ] - } - ] + "in": "body", + "check regex": "[^\\r\\n]*.^([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -4200,32 +4366,53 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) is taken and the service_documentation claim is checked to be an URL", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response SA OP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -4237,32 +4424,53 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the sub claim in it is checked. Its value has to be an URL", - "type": "passive", + "name": "Does the Entity Statement's JWT payload contain a correct 'iss' claim", + "description": "This test can be performed by taking the JWT present in the Entity Statement Response, base64url decoding the payload and checking the iss claim. Its value must be an URL identifying the SA", + "type": "active", "sessions": [ "s1" ], "operations": [ { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Statement response SA RP", + "decode operations": [ + { + "from": "url", + "decode param": "client_assertion", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "$.iss", + "as": "conf_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"sub\"]}" - } - ] + "use variable": "true", + "in": "payload", + "check": "$.iss", + "contains": "conf_iss" } ] } @@ -4274,34 +4482,21 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the tos_uri claim is checked to be an URL", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response SA RP", - "decode operations": [ + "message type": "Entity Configuration response SA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\", \"pattern\": \"^https://\"}}, \"required\": [\"tos_uri\"]}" - } - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-iat.json index bc80421..e57a899 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-iat.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/SA/SA-Entity Statement response RP-trust_mark-iat.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -25,12 +25,12 @@ { "from": "jwt payload", "type": "jwt", - "decode param": "$.trust_marks.trust_mark", + "decode param": "$.trust_marks[0].trust_mark", "checks": [ { "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + "check": "iat", + "is present": "true" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-correct-content-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-correct-content-type.json new file mode 100644 index 0000000..73b92ea --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-correct-content-type.json @@ -0,0 +1,33 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-correct-http-code.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-correct-http-code.json new file mode 100644 index 0000000..c92e4c8 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-correct-http-code.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity return a correct HTTP code in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must be an HTTP 200 OK response", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-exp-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-exp-type.json new file mode 100644 index 0000000..2085c5d --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-exp-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-exp.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-exp.json new file mode 100644 index 0000000..8f8f3dc --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-exp.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-exposed.json new file mode 100644 index 0000000..ce36116 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-exposed.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Entity expose the /.well-known/openid-federation endpoint", + "description": "In order to check the presence and correctness of the /.well-known/openid-federation endpoint, an HTTP GET request to the entity's endpoint is done and its entity configuration is expected as response.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "checks": [ + { + "in": "head", + "check regex": "HTTP/?\\d?\\.?\\d?\\s200", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-iat-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-iat-type.json new file mode 100644 index 0000000..e3e29e6 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-iat-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-iat.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-iat.json new file mode 100644 index 0000000..77dc383 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-iat.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-iss.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-iss.json new file mode 100644 index 0000000..ea19b95 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-iss.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-issue.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-issue.json new file mode 100644 index 0000000..94d8fe8 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-issue.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "checks": [ + { + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-jwks.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-jwks.json new file mode 100644 index 0000000..0a4a28b --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-jwks.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-federation_entity-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-federation_entity-once.json new file mode 100644 index 0000000..a9eb8ec --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-federation_entity-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json new file mode 100644 index 0000000..d869a42 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-oauth_authorization_server-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-oauth_resource-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-oauth_resource-once.json new file mode 100644 index 0000000..6a8b13d --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-oauth_resource-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-openid_provider-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-openid_provider-once.json new file mode 100644 index 0000000..dc3d931 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-openid_provider-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-openid_relying_party-once.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-openid_relying_party-once.json new file mode 100644 index 0000000..84a4279 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-openid_relying_party-once.json @@ -0,0 +1,48 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-type.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-type.json new file mode 100644 index 0000000..4144471 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-type.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-value.json similarity index 59% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-value.json index 9fcb0ea..9c9a90b 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-metadata-value.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata-value.json @@ -7,8 +7,8 @@ "tests": [ { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" @@ -25,7 +25,7 @@ { "in": "payload", "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata.json new file mode 100644 index 0000000..2d086f8 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-metadata.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-signature.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-signature.json similarity index 100% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-signature.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-signature.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-sub-value.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-sub-value.json similarity index 90% rename from testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-sub-value.json rename to testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-sub-value.json index 9b2f348..4bc4e3b 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/TA-Entity Configuration response-sub-value.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-sub-value.json @@ -7,7 +7,7 @@ "tests": [ { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", + "name": "Does entity configuration OP contain a correct sub parameter", "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ @@ -25,7 +25,7 @@ { "in": "payload", "check": "$.sub", - "is": "X_url_TA" + "is": "X_key_TA" } ] } diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-sub.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-sub.json new file mode 100644 index 0000000..bc6b34a --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Entity Configuration response-sub.json @@ -0,0 +1,39 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.sub", + "is present": "true" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Resolve Entity Statement endpoint response-exposed.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Resolve Entity Statement endpoint response-exposed.json new file mode 100644 index 0000000..2fb4169 --- /dev/null +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/ALL-Resolve Entity Statement endpoint response-exposed.json @@ -0,0 +1,32 @@ +{ + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Resolve Entity Statement response", + "checks": [ + { + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" + } + ] + } + ], + "result": "correct flow s1" + } + } + ] +} \ No newline at end of file diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json index 37a1d16..870877e 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA.json @@ -5,6 +5,201 @@ "filter messages": true }, "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { "name": "Does the entity return a correct HTTP code in the EC response", @@ -53,8 +248,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" @@ -65,16 +260,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -87,8 +285,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" @@ -99,14 +297,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -119,8 +322,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -131,15 +334,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } ] } ] @@ -152,8 +359,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -164,15 +371,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -185,8 +396,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -197,15 +408,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -218,8 +433,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -230,15 +445,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -251,8 +470,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -263,15 +482,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -284,8 +507,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -296,14 +519,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -316,8 +544,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -328,14 +556,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -348,8 +581,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -360,17 +593,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -383,8 +618,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -395,14 +630,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -415,8 +655,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -427,14 +667,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -447,8 +692,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" @@ -459,15 +704,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -480,8 +729,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -492,15 +741,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -513,8 +766,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -525,15 +778,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -546,27 +803,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -579,8 +840,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" @@ -591,14 +852,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -611,8 +877,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -623,15 +889,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } ] } ] @@ -644,8 +914,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -656,15 +926,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -677,8 +951,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -689,28 +963,33 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] - } - ] - } - ] - } - ], + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] + } + ] + } + ] + } + ], "result": "correct flow s1" } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -721,14 +1000,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -741,8 +1025,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -753,14 +1037,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -773,8 +1062,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -785,14 +1074,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -805,8 +1099,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -817,15 +1111,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -838,8 +1136,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -850,14 +1148,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -870,8 +1173,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -882,15 +1185,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -903,26 +1210,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -935,27 +1247,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -968,27 +1284,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -1001,27 +1321,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -1034,59 +1358,76 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] - } + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] + } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } ] } ] @@ -1094,20 +1435,22 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1116,9 +1459,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", "is subset of": [ - "private_key" + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" ] } ] @@ -1131,15 +1476,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1148,10 +1493,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "S256" ] } ] @@ -1164,15 +1508,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1181,10 +1525,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "refresh_token", + "authorization_code" ] } ] @@ -1197,15 +1541,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1214,10 +1558,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", "is subset of": [ - "RS256", - "RS512" + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -1230,21 +1574,30 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -1254,8 +1607,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1266,22 +1619,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -1289,41 +1635,32 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } + "in": "payload", + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" ] } ] @@ -1331,15 +1668,13 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" @@ -1350,19 +1685,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" ] } ] @@ -1375,8 +1705,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -1387,19 +1717,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" ] } ] @@ -1412,8 +1737,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" @@ -1424,19 +1749,17 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" ] } ] @@ -1449,8 +1772,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" @@ -1461,19 +1784,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" ] } ] @@ -1486,8 +1804,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -1498,19 +1816,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" ] } ] @@ -1523,8 +1836,8 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1535,19 +1848,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -1560,8 +1869,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -1572,19 +1881,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -1597,8 +1902,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -1609,19 +1914,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -1634,8 +1935,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1646,19 +1947,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -1671,31 +1968,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" ] } ] @@ -1708,31 +2000,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" ] } ] @@ -1745,31 +2033,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -1782,31 +2066,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" ] } ] @@ -1819,31 +2098,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" ] } ] @@ -1856,31 +2130,26 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" ] } ] @@ -1893,31 +2162,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" ] } ] @@ -1930,8 +2194,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -1942,19 +2206,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -1967,8 +2227,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -1979,19 +2239,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" ] } ] @@ -2004,8 +2259,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -2016,19 +2271,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -2041,31 +2292,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" ] } ] @@ -2078,31 +2324,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" ] } ] @@ -2115,31 +2357,27 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -2152,31 +2390,27 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -2189,31 +2423,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -2226,31 +2456,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" ] } ] @@ -2263,34 +2488,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] + } + ] } ] } @@ -2300,31 +2520,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -2337,31 +2553,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -2374,31 +2586,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -2411,32 +2619,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_key_TA" } ] } @@ -2448,32 +2649,26 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -2485,8 +2680,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -2497,20 +2692,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -2522,31 +2711,27 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } + "in": "payload", + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" ] } ] @@ -2559,25 +2744,28 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" + "check": "$.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -2589,25 +2777,27 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2619,25 +2809,30 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2649,25 +2844,30 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2679,25 +2879,27 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2709,25 +2911,30 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2739,25 +2946,30 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2769,25 +2981,27 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2799,25 +3013,30 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2829,25 +3048,27 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2859,25 +3080,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2889,25 +3115,27 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2919,25 +3147,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2949,25 +3182,27 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2979,25 +3214,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3009,27 +3249,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -3039,8 +3273,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" @@ -3051,15 +3285,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -3069,27 +3297,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -3099,25 +3321,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -3129,25 +3351,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -3159,25 +3381,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -3189,25 +3411,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -3219,25 +3441,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -3249,25 +3471,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -3279,25 +3501,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -3309,8 +3531,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3321,13 +3543,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" } ] } @@ -3339,25 +3561,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -3369,25 +3591,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -3399,25 +3621,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } @@ -3429,25 +3651,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3459,25 +3681,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3489,25 +3711,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3519,25 +3741,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3549,25 +3771,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -3579,25 +3801,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3609,25 +3831,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3639,25 +3861,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -3669,25 +3891,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -3699,25 +3921,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3729,25 +3951,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3759,25 +3981,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3789,25 +4011,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3819,25 +4041,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3849,25 +4071,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3879,20 +4101,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -3902,20 +4131,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + } + ] } ] } @@ -3925,20 +4161,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -3948,8 +4198,8 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3957,11 +4207,25 @@ "operations": [ { "message type": "Entity Statement response TA OP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -3971,20 +4235,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -3994,20 +4272,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -4017,20 +4309,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -4040,20 +4346,34 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -4063,8 +4383,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -4075,14 +4395,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } ] } ] @@ -4095,8 +4420,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -4107,17 +4432,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } ] } ] @@ -4130,8 +4457,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -4142,17 +4469,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } ] } ] @@ -4165,8 +4494,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -4177,14 +4506,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } ] } ] @@ -4197,8 +4531,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -4209,17 +4543,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } ] } ] @@ -4232,8 +4568,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -4244,17 +4580,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } ] } ] @@ -4267,26 +4605,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } ] } ] @@ -4299,29 +4642,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } ] } ] @@ -4334,26 +4679,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } ] } ] @@ -4366,29 +4716,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } ] } ] @@ -4401,26 +4753,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } ] } ] @@ -4433,29 +4790,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } ] } ] @@ -4468,26 +4827,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } ] } ] @@ -4500,34 +4864,36 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] - } - ] + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] + } + ] } ], "result": "correct flow s1" @@ -4535,25 +4901,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -4565,25 +4938,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -4595,25 +4975,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] } ] } @@ -4625,25 +5012,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -4655,25 +5049,32 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -4685,25 +5086,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -4715,25 +5123,32 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -4745,25 +5160,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -4775,25 +5197,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -4805,25 +5234,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -4835,27 +5271,34 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" - } - ] + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] } ] } @@ -4865,25 +5308,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -4895,25 +5345,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -4925,25 +5382,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.constraints.max_path_length", + "is present": "true" } ] } @@ -4955,25 +5412,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -4985,25 +5442,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -5015,25 +5472,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -5045,25 +5502,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -5075,25 +5532,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -5105,25 +5562,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -5135,25 +5592,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -5165,25 +5622,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -5195,25 +5652,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -5225,8 +5682,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -5237,13 +5694,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } @@ -5255,8 +5712,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -5267,13 +5724,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "is present": "true" } ] } @@ -5285,8 +5742,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -5297,13 +5754,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "is present": "true" } ] } @@ -5315,25 +5772,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "is present": "true" } ] } @@ -5345,25 +5802,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" } ] } @@ -5375,8 +5832,8 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -5387,14 +5844,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" } ] } @@ -5406,26 +5862,25 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is present": "true" } ] } @@ -5437,25 +5892,25 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "check": "$.jwks", + "is present": "true" } ] } @@ -5467,60 +5922,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "iss", - "contains": "valid_iss" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "is present": "true" } ] } @@ -5532,60 +5952,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", - "type": "active", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "type": "passive", "sessions": [ "s1" ], "operations": [ { - "session": "s1", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Configuration response TA", - "decode operations": [ - { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "edits": [ - { - "jwt from": "payload", - "jwt save": "iss", - "as": "valid_iss" - } - ] - } - ] - }, - { - "action": "intercept", - "from session": "s1", - "then": "forward", - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "use variable": "true", - "in": "payload", - "check": "iss", - "contains": "valid_iss" - } - ] + "in": "payload", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", + "is present": "true" } ] } @@ -5597,24 +5982,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -5627,24 +6012,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", "is present": "true" } ] @@ -5657,24 +6042,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", "is present": "true" } ] @@ -5687,24 +6072,24 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -5717,24 +6102,24 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", "is present": "true" } ] @@ -5747,24 +6132,24 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -5777,24 +6162,24 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", "is present": "true" } ] @@ -5807,24 +6192,24 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -5837,24 +6222,24 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -5867,24 +6252,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -5897,24 +6282,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -5927,24 +6312,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -5957,24 +6342,24 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -5987,24 +6372,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -6017,24 +6402,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -6047,24 +6432,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", "is present": "true" } ] @@ -6077,24 +6462,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -6107,24 +6492,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -6137,24 +6522,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -6167,24 +6552,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -6197,24 +6582,24 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -6227,24 +6612,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -6257,24 +6642,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -6287,24 +6672,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -6317,15 +6702,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -6334,7 +6719,7 @@ "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.exp", "is present": "true" } ] @@ -6347,15 +6732,15 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", @@ -6364,7 +6749,7 @@ "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.iat", "is present": "true" } ] @@ -6377,8 +6762,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6391,7 +6776,13 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -6401,21 +6792,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.jwks", + "is present": "true" + } + ] } ] } @@ -6425,21 +6822,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "is present": "true" + } + ] } ] } @@ -6449,32 +6852,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -6486,32 +6882,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -6523,32 +6912,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -6560,32 +6942,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.trust_mark_issuers", + "is present": "true" } ] } @@ -6597,8 +6972,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6609,20 +6984,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -6634,8 +7002,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6646,20 +7014,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -6671,8 +7032,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6683,20 +7044,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -6708,8 +7062,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6720,20 +7074,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -6745,8 +7092,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6757,20 +7104,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -6782,8 +7122,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -6794,20 +7134,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -6819,8 +7152,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6831,20 +7164,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -6856,8 +7182,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6868,20 +7194,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -6893,32 +7212,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -6930,32 +7242,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -6967,32 +7272,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -7004,8 +7302,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7016,20 +7314,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -7041,8 +7332,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7053,20 +7344,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -7078,8 +7362,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -7090,20 +7374,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -7115,8 +7392,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" @@ -7127,20 +7404,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -7152,8 +7422,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7164,20 +7434,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -7189,8 +7452,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7201,20 +7464,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -7226,34 +7482,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7263,34 +7505,20 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -7300,34 +7528,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -7337,34 +7551,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Statement response TA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7374,8 +7574,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -7383,25 +7583,11 @@ "operations": [ { "message type": "Entity Statement response TA RP", - "decode operations": [ + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7411,34 +7597,20 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7448,34 +7620,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7485,34 +7643,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Public Keys History response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -7522,20 +7666,71 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", + "checks": [ + { + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" + } + ] + } + ], + "result": "correct flow s1" + } + }, + { + "test": { + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", + "sessions": [ + "s1" + ], + "operations": [ + { + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "edits": [ + { + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" + } + ] + } + ] + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Statement response TA OP", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", @@ -7543,9 +7738,10 @@ "decode param": "$.trust_marks[0].trust_mark", "checks": [ { + "use variable": "true", "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + "check": "iss", + "contains": "valid_iss" } ] } @@ -7559,60 +7755,59 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", - "type": "passive", + "name": "Does the Trust Mark contain a correct iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the iss claim has to be an URL", + "type": "active", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "session": "s1", + "action": "start" + }, + { + "action": "intercept", + "from session": "s1", + "then": "forward", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "edits": [ { - "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" - ] + "jwt from": "payload", + "jwt save": "iss", + "as": "valid_iss" } ] } ] - } - ], - "result": "correct flow s1" - } - }, - { - "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", - "type": "passive", - "sessions": [ - "s1" - ], - "operations": [ + }, { + "action": "intercept", + "from session": "s1", + "then": "forward", "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode operations": [ { - "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "use variable": "true", + "in": "payload", + "check": "iss", + "contains": "valid_iss" + } ] } ] diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json index edce186..1f41b6b 100644 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json +++ b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/single/TA/All_TA_Passive.json @@ -5,6 +5,201 @@ "filter messages": true }, "tests": [ + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_relying_party.*(\\n.*)+\"openid_relying_party\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "openid_provider.*(\\n.*)+\"openid_provider\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "federation_entity.*(\\n.*)+\"federation_entity\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_authorization_server.*(\\n.*)+\"oauth_authorization_server\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, + { + "test suite": { + "name": "Single test", + "description": "One test only", + "filter messages": true + }, + "tests": [ + { + "test": { + "name": "Does the metadata parameter contain only allowed types and only once for each", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", + "type": "passive", + "sessions": [ + "s1" + ], + "operations": [ + { + "message type": "Entity Configuration response TA", + "decode operations": [ + { + "from": "body", + "decode param": "[^\\n\\r]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata", + "not matches regex": "oauth_resource.*(\\n.*)+\"oauth_resource\"" + } + ] + } + ] + } + ], + "result": "correct flow s1" + } + } + ] + }, { "test": { "name": "Does the entity return a correct HTTP code in the EC response", @@ -53,8 +248,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" @@ -65,16 +260,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", - "is subset of": [ - "https://www.spid.gov.it/SpidL1", - "https://www.spid.gov.it/SpidL2", - "https://www.spid.gov.it/SpidL3" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -87,8 +285,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" @@ -99,14 +297,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is subset of": [ - "S256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -119,8 +322,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -131,15 +334,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", - "is subset of": [ - "refresh_token", - "authorization_code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" + } ] } ] @@ -152,8 +359,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -164,15 +371,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -185,8 +396,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -197,15 +408,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -218,8 +433,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -230,15 +445,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -251,8 +470,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -263,15 +482,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", - "is subset of": [ - "form_post", - "query" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -284,8 +507,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -296,14 +519,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -316,8 +544,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -328,14 +556,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -348,8 +581,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -360,17 +593,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", - "is subset of": [ - "openid", - "offline_access", - "profile", - "email" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -383,8 +618,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -395,14 +630,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is subset of": [ - "pairwise" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -415,8 +655,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -427,14 +667,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is subset of": [ - "private_key_jwt" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -447,8 +692,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" @@ -459,15 +704,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -480,8 +729,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -492,15 +741,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -513,8 +766,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -525,15 +778,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -546,27 +803,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain a correct id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" + } ] } ] @@ -579,8 +840,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", "type": "passive", "sessions": [ "s1" @@ -591,14 +852,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" + } ] } ] @@ -611,8 +877,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", + "name": "Does the Trust Mark contain the correct type of the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -623,15 +889,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_token" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " + } ] } ] @@ -644,8 +914,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain the exp type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -656,15 +926,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" + } ] } ] @@ -677,8 +951,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", + "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -689,28 +963,33 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" - ] - } - ] - } - ] - } - ], + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" + } + ] + } + ] + } + ] + } + ], "result": "correct flow s1" } }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the Trust Mark contain the correct iat type", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -721,14 +1000,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256\" , \"RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" + } ] } ] @@ -741,8 +1025,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", "type": "passive", "sessions": [ "s1" @@ -753,14 +1037,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" + } ] } ] @@ -773,8 +1062,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", "type": "passive", "sessions": [ "s1" @@ -785,14 +1074,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is subset of": [ - "private_key" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" + } ] } ] @@ -805,8 +1099,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain a correct logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -817,15 +1111,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" + } ] } ] @@ -838,8 +1136,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the Trust Mark contain the correct type of organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -850,14 +1148,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256\" , \"A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" + } ] } ] @@ -870,8 +1173,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" @@ -882,15 +1185,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" + } ] } ] @@ -903,26 +1210,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", + "name": "Does the Trust Mark contain an URL in the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is subset of": [ - "automatic" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" + } ] } ] @@ -935,27 +1247,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", + "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types.subset_of", - "is subset of": [ - "authorization_code", - "refresh_toke" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" + } ] } ] @@ -968,27 +1284,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the Trust Mark contain a correct sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" + } ] } ] @@ -1001,27 +1321,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" + } ] } ] @@ -1034,59 +1358,76 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is subset of": [ - "RS256", - "RS512" - ] - } + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } + ] + } ] } ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", + "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", + "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is subset of": [ - "code" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is in": [ + "light", + "full" + ] + } ] } ] @@ -1094,20 +1435,22 @@ ] } ], - "result": "correct flow s1" + "result": [ + "s1" + ] } }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must contain the value 'subset_of': ['https://www.spid.gov.it/SpidL1', 'https://www.spid.gov.it/SpidL2', 'https://www.spid.gov.it/SpidL3']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1116,9 +1459,11 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "check": "$.metadata_policy.intermediary.acr_values_supported.subset_of", "is subset of": [ - "private_key" + "https://www.spid.gov.it/SpidL1", + "https://www.spid.gov.it/SpidL2", + "https://www.spid.gov.it/SpidL3" ] } ] @@ -1131,15 +1476,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['S256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1148,10 +1493,9 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", "is subset of": [ - "RSA-OAEP", - "RSA-OAEP-256" + "S256" ] } ] @@ -1164,15 +1508,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['refresh_token', 'authorization_code']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1181,10 +1525,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "check": "$.metadata_policy.intermediary.grant_types_supported.subset_of", "is subset of": [ - "A128CBC-HS256", - "A256CBC-HS512" + "refresh_token", + "authorization_code" ] } ] @@ -1197,15 +1541,15 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and must be valued as ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", @@ -1214,10 +1558,10 @@ "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported.one_of", "is subset of": [ - "RS256", - "RS512" + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -1230,21 +1574,30 @@ }, { "test": { - "name": "Does the entity return a correct Content-Type in the EC response", - "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it must be valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "head", - "url decode": false, - "is": "application/entity-statement+jwt", - "check param": "Content-Type" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$..metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" + ] + } + ] } ] } @@ -1254,8 +1607,8 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1266,22 +1619,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } + "in": "payload", + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -1289,41 +1635,32 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued intermediary Trust Mark contain a correct sa_profile claim", - "description": "A Trust Mark issued for an SA is taken, decrypted and the value of the sa_profile claim can be 'full' or 'light'", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and it is valued with['form_post', 'query']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is in": [ - "light", - "full" - ] - } + "in": "payload", + "check": "$.metadata_policy.intermediary.response_modes_supported.subset_of", + "is subset of": [ + "form_post", + "query" ] } ] @@ -1331,15 +1668,13 @@ ] } ], - "result": [ - "s1" - ] + "result": "correct flow s1" } }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['code']", "type": "passive", "sessions": [ "s1" @@ -1350,19 +1685,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", + "is subset of": [ + "code" ] } ] @@ -1375,8 +1705,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -1387,19 +1717,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" ] } ] @@ -1412,8 +1737,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['openid', 'offline_access', 'profile', 'email']", "type": "passive", "sessions": [ "s1" @@ -1424,19 +1749,17 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.scopes_supported.subset_of", + "is subset of": [ + "openid", + "offline_access", + "profile", + "email" ] } ] @@ -1449,8 +1772,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['pairwise']", "type": "passive", "sessions": [ "s1" @@ -1461,19 +1784,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", + "is subset of": [ + "pairwise" ] } ] @@ -1486,8 +1804,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['private_key_jwt']", "type": "passive", "sessions": [ "s1" @@ -1498,19 +1816,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", + "is subset of": [ + "private_key_jwt" ] } ] @@ -1523,8 +1836,8 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1535,19 +1848,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -1560,8 +1869,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -1572,19 +1881,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -1597,8 +1902,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -1609,19 +1914,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -1634,8 +1935,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -1646,19 +1947,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -1671,31 +1968,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", + "is subset of": [ + "automatic" ] } ] @@ -1708,31 +2000,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with '[authorization_code, refresh_token]'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_token" ] } ] @@ -1745,31 +2033,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -1782,31 +2066,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" ] } ] @@ -1819,31 +2098,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256\" , \"RS512" ] } ] @@ -1856,31 +2130,26 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" ] } ] @@ -1893,31 +2162,26 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" ] } ] @@ -1930,8 +2194,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" @@ -1942,19 +2206,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "claims", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -1967,8 +2227,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" @@ -1979,19 +2239,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "email", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256\" , \"A256CBC-HS512" ] } ] @@ -2004,8 +2259,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'one_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" @@ -2016,19 +2271,15 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "exp", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -2041,31 +2292,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the iat claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iat", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", + "is subset of": [ + "automatic" ] } ] @@ -2078,31 +2324,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the id claim", - "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' values with ['authorization_code', 'refresh_token']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types.subset_of", + "is subset of": [ + "authorization_code", + "refresh_toke" ] } ] @@ -2115,31 +2357,27 @@ }, { "test": { - "name": "Does the Trust Mark contain id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of': valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "id_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -2152,31 +2390,27 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$.id_code.ipa_code", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -2189,31 +2423,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the iss claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "iss", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -2226,31 +2456,26 @@ }, { "test": { - "name": "Does the Trust Mark contain the logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value' with value 'code'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "logo_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.response_types.value", + "is subset of": [ + "code" ] } ] @@ -2263,34 +2488,29 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of' valued with ['private_key']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_name", - "is present": "true" - } - ] - } - ] + "in": "payload", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", + "is subset of": [ + "private_key" + ] + } + ] } ] } @@ -2300,31 +2520,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RSA-OAEP', 'RSA-OAEP-256']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "organization_type", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "is subset of": [ + "RSA-OAEP", + "RSA-OAEP-256" ] } ] @@ -2337,31 +2553,27 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['A128CBC-HS256', 'A256CBC-HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "policy_uri", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", + "is subset of": [ + "A128CBC-HS256", + "A256CBC-HS512" ] } ] @@ -2374,31 +2586,27 @@ }, { "test": { - "name": "Does the Trust Mark contain the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of' valued with ['RS256', 'RS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "ref", - "is present": "true" - } + "in": "payload", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "is subset of": [ + "RS256", + "RS512" ] } ] @@ -2411,32 +2619,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", + "name": "Does entity configuration OP contain a correct sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "service_documentation", - "is present": "true" - } - ] + "in": "payload", + "check": "$.sub", + "is": "X_key_TA" } ] } @@ -2448,32 +2649,26 @@ }, { "test": { - "name": "Does the Trust Mark contain sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sub", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -2485,8 +2680,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", + "name": "Does the TA correctly sign the issued Trust Mark", + "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", "type": "passive", "sessions": [ "s1" @@ -2497,20 +2692,14 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", "decode operations": [ { "from": "jwt payload", "type": "jwt", "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "tos_uri", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -2522,31 +2711,27 @@ }, { "test": { - "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", - "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "sa_profile", - "is present": "true" - } + "in": "payload", + "check": "$.trust_marks[0].trust_mark.organization_type", + "is in": [ + "public", + "private" ] } ] @@ -2559,25 +2744,28 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", + "name": "Does the Trust Mark contain a correct organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints.max_path_length", - "is present": "true" + "check": "$.organization_type", + "is in": [ + "public", + "private" + ] } ] } @@ -2589,25 +2777,27 @@ }, { "test": { - "name": "Does the Entity's metadata contain the contacts parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.contacts", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2619,25 +2809,30 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_fetch_endpoint", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2649,25 +2844,30 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_list_endpoint", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2679,25 +2879,27 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_resolve_endpoint", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2709,25 +2911,30 @@ }, { "test": { - "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2739,25 +2946,30 @@ }, { "test": { - "name": "Does the Entity's metadata contain the homepage_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.homepage_uri", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2769,25 +2981,27 @@ }, { "test": { - "name": "Does the Entity's metadata contain the logo_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.logo_uri", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2799,25 +3013,30 @@ }, { "test": { - "name": "Does the Entity's metadata contain the organization_name parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.organization_name", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2829,25 +3048,27 @@ }, { "test": { - "name": "Does the Entity's metadata contain the policy_uri parameter", - "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", + "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata.federation_entity.policy_uri", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2859,25 +3080,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "is present": "true" + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2889,25 +3115,27 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2919,25 +3147,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -2949,25 +3182,27 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", + "not contains": [ + "RSA_1_5" + ] } ] } @@ -2979,25 +3214,30 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", + "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", + "not contains": [ + "none", + "HS256", + "HS384", + "HS512" + ] } ] } @@ -3009,27 +3249,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the entity correctly sign the Entity Configuration", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -3039,8 +3273,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" @@ -3051,15 +3285,9 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -3069,27 +3297,21 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA correctly sign the Entity statements", + "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.jwks", - "is present": "true" - } - ] + "jwt check sig": "X_key_TA" } ] } @@ -3099,25 +3321,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", + "name": "Does the metadata parameter contain only allowed types", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "is present": "true" + "check": "$.metadata", + "json schema compliant": "{\"type\": \"object\",\"anyOf\": [{\"required\": [\"openid_relying_party\"]},{\"required\": [\"openid_provider\"]},{\"required\": [\"federation_entity\"]},{\"required\": [\"oauth_authorization_server\"]},{\"required\": [\"oauth_resource\"]}],\"properties\": {\"openid_relying_party\":{\"type\":\"object\"},\"openid_provider\":{\"type\":\"object\"},\"federation_entity\":{\"type\":\"object\"},\"oauth_authorization_server\":{\"type\":\"object\"},\"oauth_resource\":{\"type\":\"object\"}}, \"additionalProperties\": false}" } ] } @@ -3129,25 +3351,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", + "name": "Does entity configuration contain a correct exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" } ] } @@ -3159,25 +3381,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", + "name": "Does entity configuration contain a correct iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" } ] } @@ -3189,25 +3411,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the metadata parameter contain a JSON Object", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" } ] } @@ -3219,25 +3441,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" } ] } @@ -3249,25 +3471,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does the TA metadata contain correct type logo_uri claim", + "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\n\\r]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata.federation_entity", + "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" } ] } @@ -3279,25 +3501,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", + "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", - "is present": "true" + "check": "$", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" } ] } @@ -3309,8 +3531,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", + "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -3321,13 +3543,13 @@ "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.acr_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" } ] } @@ -3339,25 +3561,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -3369,25 +3591,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -3399,25 +3621,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.client_registration_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" } ] } @@ -3429,25 +3651,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.grant_types_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3459,25 +3681,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3489,25 +3711,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3519,25 +3741,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3549,25 +3771,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" } ] } @@ -3579,25 +3801,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3609,25 +3831,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3639,25 +3861,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" } ] } @@ -3669,25 +3891,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.openid_provider.request_parameter_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" } ] } @@ -3699,25 +3921,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.response_modes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3729,25 +3951,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", + "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.response_types.value", - "is present": "true" + "check": "$.metadata_policy.intermediary.scopes_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3759,25 +3981,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", + "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3789,25 +4011,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3819,25 +4041,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3849,25 +4071,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode regex": "[^\\r\\n]*", + "decode param": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "is present": "true" + "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" } ] } @@ -3879,20 +4101,27 @@ }, { "test": { - "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", - "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", + "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", - "checks": [ + "message type": "Entity Statement response TA RP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.openid_relying_party.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + } + ] } ] } @@ -3902,20 +4131,27 @@ }, { "test": { - "name": "Does the Entity expose the resolve entity statement endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Resolve Entity Statement response", - "checks": [ + "message type": "Entity Statement response TA SA", + "decode operations": [ { - "in": "body", - "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "decode param": "[^\\r\\n]*", + "type": "jwt", + "checks": [ + { + "in": "payload", + "check": "$.metadata_policy.intermediary.grant_types", + "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + } + ] } ] } @@ -3925,20 +4161,34 @@ }, { "test": { - "name": "Does the Entity expose the entity listing endpoint", - "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an TA must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Listing response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } + ] + } + ] } ] } @@ -3948,8 +4198,8 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -3957,11 +4207,25 @@ "operations": [ { "message type": "Entity Statement response TA OP", - "checks": [ + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } + ] + } + ] } ] } @@ -3971,20 +4235,34 @@ }, { "test": { - "name": "Does the TA correctly release the Entity statements", - "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } + ] + } + ] } ] } @@ -3994,20 +4272,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA OP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] } ] } @@ -4017,20 +4309,34 @@ }, { "test": { - "name": "Does the Entity expose the fetch entity statement endpoint", - "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Fetch Entity Statement response TA RP", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] + } + ] } ] } @@ -4040,20 +4346,34 @@ }, { "test": { - "name": "Does the TA publish the federation public key history", - "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Public Keys History response", - "checks": [ + "message type": "Entity Statement response TA OP", + "decode operations": [ { - "in": "body", - "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", - "is present": "true" + "from": "body", + "type": "jwt", + "decode regex": "[^\\r\\n]*", + "decode operations": [ + { + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] + } + ] } ] } @@ -4063,8 +4383,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -4075,14 +4395,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } ] } ] @@ -4095,8 +4420,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the id_token_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -4107,17 +4432,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } ] } ] @@ -4130,8 +4457,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the request_authentication_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -4142,17 +4469,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported.subset_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } ] } ] @@ -4165,8 +4494,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_encryption_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -4177,14 +4506,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } ] } ] @@ -4197,8 +4531,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the userinfo_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -4209,17 +4543,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } ] } ] @@ -4232,8 +4568,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain not valid values for the token_endpoint_auth_signing_alg_values_supported parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" @@ -4244,17 +4580,19 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } ] } ] @@ -4267,26 +4605,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } ] } ] @@ -4299,29 +4642,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } ] } ] @@ -4334,26 +4679,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } ] } ] @@ -4366,29 +4716,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain not valid values in the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } ] } ] @@ -4401,26 +4753,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid value for the id_token_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the issued oauth_resource Trust Mark contain the claims claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the claims claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "claims", + "is present": "true" + } ] } ] @@ -4433,29 +4790,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the id_token_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the email claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the email claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "email", + "is present": "true" + } ] } ] @@ -4468,26 +4827,31 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_encrypted_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the value ['RSA_1_5']", + "name": "Does the Trust Mark contain the exp claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the exp claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", - "not contains": [ - "RSA_1_5" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "exp", + "is present": "true" + } ] } ] @@ -4500,34 +4864,36 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain not valid values for the userinfo_signed_response_alg parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. The key 'subset_of' must not contain the values ['none', 'HS256', 'HS384', 'HS512']", + "name": "Does the Trust Mark contain the iat claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iat claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", - "not contains": [ - "none", - "HS256", - "HS384", - "HS512" - ] - } - ] - } - ] + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iat", + "is present": "true" + } + ] + } + ] + } + ] } ], "result": "correct flow s1" @@ -4535,25 +4901,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the Trust Mark contain the id claim", + "description": "The id of the trust mark must be present. So in this test, an issued Trust Mark must be taken, decrypted and the presence of the id claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"exp\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"exp\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id", + "is present": "true" + } + ] } ] } @@ -4565,25 +4938,32 @@ }, { "test": { - "name": "Does entity configuration contain a correct iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the Trust Mark contain id_code claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"iat\": {\"type\": \"integer\", \"minimum\": 0}}, \"required\": [\"iat\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "id_code", + "is present": "true" + } + ] } ] } @@ -4595,25 +4975,32 @@ }, { "test": { - "name": "Does the metadata parameter contain a JSON Object", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object.", + "name": "Does the id_code claim of a Trust Mark issued by a TA for a public organization contain ipa_code claim", + "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of 'ipa_code' in the id_code claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"metadata\": {\"type\": \"object\"}}, \"required\": [\"metadata\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "$.id_code.ipa_code", + "is present": "true" + } + ] } ] } @@ -4625,25 +5012,32 @@ }, { "test": { - "name": "Does the Trust Anchor's Entity configuration contain a constraints parameter valued as a JSON Object with a max_path_length claim", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must be a JSON Object", + "name": "Does the Trust Mark contain the iss claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the iss claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"constraints\": {\"type\": \"object\", \"properties\": {\"max_path_length\": {}}, \"required\": [\"max_path_length\"]}, \"required\": [\"constraints\"]}}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "iss", + "is present": "true" + } + ] } ] } @@ -4655,25 +5049,32 @@ }, { "test": { - "name": "Does the TA metadata contain correct type logo_uri claim", - "description": "In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file", + "name": "Does the Trust Mark contain the logo_uri claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the logo_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata.federation_entity", - "json schema compliant": "{\"type\":\"object\", \"properties\":{\"logo_uri\":{\"type\":\"string\", \"format\":\"uri\", \"pattern\":\"^https://.*\\\\.svg$\"}},\"required\":[\"logo_uri\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "logo_uri", + "is present": "true" + } + ] } ] } @@ -4685,25 +5086,32 @@ }, { "test": { - "name": "Does the metadata parameter contain only allowed types and only once for each", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'", + "name": "Does the Trust Mark contain the organization_name claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_name claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\n\\r]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"openid_relying_party\": { \"type\": \"object\" }, \"openid_provider\": { \"type\": \"object\" }, \"federation_entity\": { \"type\": \"object\" }, \"oauth_authorization_server\": { \"type\": \"object\" }, \"oauth_resource\": { \"type\": \"object\" }, \"trust_mark_issuer\": { \"type\": \"object\" } }, \"required\": [\"openid_relying_party\", \"openid_provider\", \"federation_entity\", \"oauth_authorization_server\", \"oauth_resource\", \"trust_mark_issuer\"], \"additionalProperties\": false}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_name", + "is present": "true" + } + ] } ] } @@ -4715,25 +5123,32 @@ }, { "test": { - "name": "Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.", + "name": "Does the Trust Mark contain the organization_type claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the organization_type claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"trust_mark_issuers\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"array\"}}}, \"required\": [\"trust_mark_issuers\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "organization_type", + "is present": "true" + } + ] } ] } @@ -4745,25 +5160,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct acr_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the acr_values_supported parameter inside the openid_provider type is checked. It must be a JSON object containing the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the policy_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the policy_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.acr_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}},\"required\":[\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "policy_uri", + "is present": "true" + } + ] } ] } @@ -4775,25 +5197,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the Trust Mark contain the ref claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the ref claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "ref", + "is present": "true" + } + ] } ] } @@ -4805,25 +5234,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['true']", + "name": "Does the issued oauth_resource Trust Mark contain the service_documentation claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the service_documentation claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.claims_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "service_documentation", + "is present": "true" + } + ] } ] } @@ -4835,27 +5271,34 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued as ['automatic']", + "name": "Does the Trust Mark contain sub claim", + "description": "In this test, an issued Trust Mark must be taken, decrypted and the presence of the sub claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.openid_provider.client_registration_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {\"const\": \"automatic\"}}, \"required\": [\"subset_of\"]}" - } - ] + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sub", + "is present": "true" + } + ] + } + ] } ] } @@ -4865,25 +5308,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct grant_types_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued oauth_resource Trust Mark contain the tos_uri claim", + "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the presence of the tos_uri claim in it is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "tos_uri", + "is present": "true" + } + ] } ] } @@ -4895,25 +5345,32 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the issued intermediary Trust Mark contain the sa_profile claim", + "description": "A Trust Mark issued by a TA for an SA is taken, decrypted and the presence of the sa_profile claim is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", "type": "jwt", - "checks": [ + "decode regex": "[^\\r\\n]*", + "decode operations": [ { - "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "from": "jwt payload", + "type": "jwt", + "decode param": "$.trust_marks[0].trust_mark", + "checks": [ + { + "in": "payload", + "check": "sa_profile", + "is present": "true" + } + ] } ] } @@ -4925,25 +5382,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Trust Anchor's Entity configuration's constraints parameter contain the attribute 'max_path_length'", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked. It must contain the attribute max_path_length", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.constraints.max_path_length", + "is present": "true" } ] } @@ -4955,25 +5412,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct id_token_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the contacts parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.id_token_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.contacts", + "is present": "true" } ] } @@ -4985,25 +5442,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' and it must be valued with ['request_object']", + "name": "Does the Entity's metadata contain the federation_fetch_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": \"request_object\"}}, \"required\": [\"value\"]}" + "check": "$.metadata.federation_entity.federation_fetch_endpoint", + "is present": "true" } ] } @@ -5015,25 +5472,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the federation_list_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.request_authentication_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.federation_list_endpoint", + "is present": "true" } ] } @@ -5045,25 +5502,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the Entity's metadata contain the federation_resolve_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_resolve_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.federation_resolve_endpoint", + "is present": "true" } ] } @@ -5075,25 +5532,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_object_signing_alg_values_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_object_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of' valued as ['RS256', 'RS512'] ", + "name": "Does the Entity's metadata contain the federation_trust_mark_status_endpoint parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'federation_trust_mark_status_endpoint' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]} [\"RS256\", \"RS512\"]" + "check": "$.metadata.federation_entity.federation_trust_mark_status_endpoint", + "is present": "true" } ] } @@ -5105,25 +5562,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter value", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of' valued with ['true']", + "name": "Does the Entity's metadata contain the homepage_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'homepage_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_provider.request_parameter_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"value\": {\"const\": true}}, \"required\": [\"value\"]}" + "check": "$.metadata.federation_entity.homepage_uri", + "is present": "true" } ] } @@ -5135,25 +5592,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct response_modes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_modes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the logo_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.response_modes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.logo_uri", + "is present": "true" } ] } @@ -5165,25 +5622,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct scopes_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the scopes_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the organization_name parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.scopes_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\":{}, \"superset_of\":{}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.organization_name", + "is present": "true" } ] } @@ -5195,25 +5652,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct token_endpoint_auth_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the Entity's metadata contain the policy_uri parameter", + "description": "In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.token_endpoint_auth_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata.federation_entity.policy_uri", + "is present": "true" } ] } @@ -5225,8 +5682,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain the authorization_response_iss_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -5237,13 +5694,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported", + "is present": "true" } ] } @@ -5255,8 +5712,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_encryption_enc_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encryption_enc_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct authorization_response_iss_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the authorization_response_iss_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" @@ -5267,13 +5724,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_encryption_enc_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.authorization_response_iss_parameter_supported.value", + "is present": "true" } ] } @@ -5285,8 +5742,8 @@ }, { "test": { - "name": "Does the TA's metadata policy for an OP contain a correct userinfo_signing_alg_values_supported parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signing_alg_values_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", + "name": "Does the TA's metadata policy for an OP contain the claims_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the claims_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" @@ -5297,13 +5754,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.userinfo_signing_alg_values_supported", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported", + "is present": "true" } ] } @@ -5315,25 +5772,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the TA's metadata policy for an OP contain a correct claims_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the claims_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.openid_relying_party.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\", \"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.claims_parameter_supported.value", + "is present": "true" } ] } @@ -5345,25 +5802,25 @@ }, { "test": { - "name": "Does the TA's metadata policy for an SA contain a correct grant_types parameter key", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the grant_types parameter inside the intermediary type is checked. It must contain the key 'subset_of' and 'superset_of'", + "name": "Does the TA's metadata policy for an OP contain the client_registration_types_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA SA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy.intermediary.grant_types", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"subset_of\": {}, \"superset_of\": {}}, \"required\": [\"subset_of\"], [\"superset_of\"]}" + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" } ] } @@ -5375,8 +5832,8 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct client_registration_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the client_registration_types_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" @@ -5387,14 +5844,13 @@ "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.openid_provider.client_registration_types_supported.subset_of", + "is present": "true" } ] } @@ -5406,26 +5862,25 @@ }, { "test": { - "name": "Does the TA correctly sign the issued Trust Mark", - "description": "To accomplish this test, a Trust Mark issued by the TA is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier.", + "name": "Does the TA's metadata policy for an OP contain a correct code_challenge_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the code_challenge_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "jwt check sig": "X_key_TA" + "in": "payload", + "check": "$.metadata_policy.intermediary.code_challenge_methods_supported.subset_of", + "is present": "true" } ] } @@ -5437,25 +5892,25 @@ }, { "test": { - "name": "Does entity configuration TA contain a correct sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter", + "name": "Does the TA's metadata policy for an OP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_provider type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", - "is": "X_url_TA" + "check": "$.jwks", + "is present": "true" } ] } @@ -5467,24 +5922,24 @@ }, { "test": { - "name": "Does entity configuration contain the exp parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", + "name": "Does the TA's metadata policy for an OP contain the request_authentication_methods_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_authentication_methods_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported", "is present": "true" } ] @@ -5497,24 +5952,24 @@ }, { "test": { - "name": "Does entity configuration contain the iat parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_authentication_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_authentication_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.openid_provider.request_authentication_methods_supported.value", "is present": "true" } ] @@ -5527,24 +5982,24 @@ }, { "test": { - "name": "Does entity configuration contain the iss parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", + "name": "Does the TA's metadata policy for an OP contain the request_parameter_supported parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the request_parameter_supported parameter inside the openid_provider type is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.openid_provider.request_parameter_supported", "is present": "true" } ] @@ -5557,24 +6012,24 @@ }, { "test": { - "name": "Does entity configuration contain the jwks parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct request_parameter_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the request_parameter_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.openid_provider.request_parameter_supported.value", "is present": "true" } ] @@ -5587,24 +6042,24 @@ }, { "test": { - "name": "Does entity configuration contain the metadata parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct response_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata", + "check": "$.metadata_policy.intermediary.response_types_supported.subset_of", "is present": "true" } ] @@ -5617,24 +6072,24 @@ }, { "test": { - "name": "Does entity configuration contain the sub parameter", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct revocation_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the revocation_endpoint_auth_methods_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.intermediary.revocation_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -5647,24 +6102,24 @@ }, { "test": { - "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", + "name": "Does the TA's metadata policy for an OP contain a correct subject_types_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the subject_types_supported parameter inside the openid_provider type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata_policy.intermediary.subject_types_supported.subset_of", "is present": "true" } ] @@ -5677,24 +6132,24 @@ }, { "test": { - "name": "Does the Federation Configuration contain the TA public keys", - "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", + "name": "Does the TA's metadata policy for an OP contain the token_endpoint_auth_methods_supported parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an OP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the token_endpoint_auth_methods_supported parameter inside the openid_provider type is checked.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA OP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$..metadata_policy.openid_provider.token_endpoint_auth_methods_supported.subset_of", "is present": "true" } ] @@ -5707,24 +6162,24 @@ }, { "test": { - "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", - "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Configuration response TA", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_mark_issuers", + "check": "$.metadata_policy.openid_relying_party.client_registration_types.subset_of", "is present": "true" } ] @@ -5737,24 +6192,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -5767,24 +6222,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.openid_relying_party.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -5797,24 +6252,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.openid_relying_party.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -5827,24 +6282,24 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the openid_relying_party type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -5857,24 +6312,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the openid_relying_party type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.openid_relying_party.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -5887,24 +6342,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -5917,24 +6372,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an RP contain the userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.openid_relying_party.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -5947,24 +6402,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an RP contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the openid_relying_party type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata_policy.openid_relying_party.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -5977,24 +6432,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the constraints parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct client_registration_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the client_registration_types parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.constraints", + "check": "$.metadata_policy.intermediary.client_registration_types.subset_of", "is present": "true" } ] @@ -6007,24 +6462,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the exp parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.exp", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_alg.one_of", "is present": "true" } ] @@ -6037,24 +6492,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the iat parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iat", + "check": "$.metadata_policy.intermediary.id_token_encrypted_response_enc.one_of", "is present": "true" } ] @@ -6067,24 +6522,24 @@ }, { "test": { - "name": "Does Entity Statement issued by the TA contain the iss parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct id_token_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the id_token_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.iss", + "check": "$.metadata_policy.intermediary.id_token_signed_response_alg.one_of", "is present": "true" } ] @@ -6097,24 +6552,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the jwks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct response_types parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the response_types parameter inside the intermediary type is checked. It must contain the key 'value'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.openid_relying_party.response_types.value", "is present": "true" } ] @@ -6127,24 +6582,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", + "name": "Does the TA's metadata policy for an SA contain a correct token_endpoint_auth_method parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the token_endpoint_auth_method parameter inside the intermediary type is checked. It must contain the key 'one_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.metadata_policy", + "check": "$.metadata_policy.intermediary.token_endpoint_auth_method.one_of", "is present": "true" } ] @@ -6157,24 +6612,24 @@ }, { "test": { - "name": "Does the TA's metadata policy for an RP contain the jwks parameter", - "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.jwks", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_alg.one_of", "is present": "true" } ] @@ -6187,24 +6642,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the sub parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_encrypted_response_enc parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_encrypted_response_enc parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.sub", + "check": "$.metadata_policy.intermediary.userinfo_encrypted_response_enc.one_of", "is present": "true" } ] @@ -6217,24 +6672,24 @@ }, { "test": { - "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", - "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", + "name": "Does the TA's metadata policy for an SA contain a correct userinfo_signed_response_alg parameter key", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an SA must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the userinfo_signed_response_alg parameter inside the intermediary type is checked. It must contain the key 'subset_of'", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Statement response TA SA", "decode operations": [ { "from": "body", - "decode param": "[^\\r\\n]*", + "decode regex": "[^\\r\\n]*", "type": "jwt", "checks": [ { "in": "payload", - "check": "$.trust_marks", + "check": "$.metadata_policy.intermediary.userinfo_signed_response_alg.one_of", "is present": "true" } ] @@ -6247,8 +6702,8 @@ }, { "test": { - "name": "Does the entity correctly sign the Entity Configuration", - "description": "To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header", + "name": "Does entity configuration contain the exp parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6261,7 +6716,13 @@ "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.exp", + "is present": "true" + } + ] } ] } @@ -6271,21 +6732,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does entity configuration contain the iat parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iat parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.iat", + "is present": "true" + } + ] } ] } @@ -6295,21 +6762,27 @@ }, { "test": { - "name": "Does the TA correctly sign the Entity statements", - "description": "In order to validate the signature of an Entity statement issued by the TA, the statement is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter of the entity configuration), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Statement Header", + "name": "Does entity configuration contain the iss parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the iss parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", "decode param": "[^\\r\\n]*", "type": "jwt", - "jwt check sig": "X_key_TA" + "checks": [ + { + "in": "payload", + "check": "$.iss", + "is present": "true" + } + ] } ] } @@ -6319,32 +6792,25 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does entity configuration contain the jwks parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the jwks parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -6356,32 +6822,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does entity configuration contain the metadata parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the metadata parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.metadata", + "is present": "true" } ] } @@ -6393,32 +6852,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does entity configuration contain the sub parameter", + "description": "To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the presence of the sub parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\":\"object\",\"properties\":{\"email\":{\"type\":\"string\",\"format\":\"email\"}},\"required \":[\"email\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -6430,32 +6882,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does the Entity configuration of the Trust Anchor contain the constraints parameter in its decoded payload", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -6467,32 +6912,25 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does the Federation Configuration contain the TA public keys", + "description": "The Federation configuration must contain, among others, the TA public keys. To check the presence of those keys, the Entity Configuration is taken from the TA's '.well-known/openid-federation' endpoint and the response is analyzed, in the returned JWT the claim 'jwks' must be present", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -6504,32 +6942,25 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does TA's Entity configuration contain the trust_marks_issuers parameter", + "description": "To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Configuration response TA", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$.trust_mark_issuers", + "is present": "true" } ] } @@ -6541,8 +6972,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6553,20 +6984,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -6578,8 +7002,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6590,20 +7014,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -6615,8 +7032,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6627,20 +7044,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -6652,8 +7062,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6664,20 +7074,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -6689,8 +7092,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6701,20 +7104,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -6726,8 +7122,8 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -6738,20 +7134,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -6763,8 +7152,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6775,20 +7164,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -6800,8 +7182,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6812,20 +7194,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -6837,32 +7212,25 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does Entity Statements issued by the TA contain the constraints parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the constraints parameter is checked", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", + "message type": "Entity Statement response TA RP", "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] + "in": "payload", + "check": "$.constraints", + "is present": "true" } ] } @@ -6874,8 +7242,8 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct id_code claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the id_code claim is a JSON Object", + "name": "Does Entity Statements issued by the TA contain the exp parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the exp parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6886,20 +7254,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.exp", + "is present": "true" } ] } @@ -6911,8 +7272,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct claims claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the claims claim has to be a list of JSON Objects", + "name": "Does Entity Statements issued by the TA contain the iat parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iat parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6923,20 +7284,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"claims\": {\"type\": \"object\", \"additionalProperties\": {\"type\": \"object\"}}},\"required\": [\"claims\"]}" - } - ] + "in": "payload", + "check": "$.iat", + "is present": "true" } ] } @@ -6948,8 +7302,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of the email claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the email claim in it is checked.", + "name": "Does Entity Statement issued by the TA contain the iss parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the iss parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6960,20 +7314,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \"object \", \"properties \": { \"email \": { \"type \": \"string \", \"format \": \"email \" } }, \"required \": [ \"email \"] } " - } - ] + "in": "payload", + "check": "$.iss", + "is present": "true" } ] } @@ -6985,8 +7332,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the exp type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the exp claim in it is checked.", + "name": "Does Entity Statements issued by the TA contain the jwks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the jwks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -6997,20 +7344,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"exp\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"exp\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -7022,8 +7362,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for private organization contain the fiscal_number or vat_number claim", - "description": "In this test, a Trust Mark issued for a private entity must be taken, decrypted and the presence of the fiscal_number claim or vat_number in the id_code is checked", + "name": "Does Entity Statements issued by the TA contain the metadata_policy parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the metadata_policy parameter is checked. It must be a JSON Object", "type": "passive", "sessions": [ "s1" @@ -7034,20 +7374,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"fiscal_number\": {}, \"vat_number\":{}},\"anyOf\":[{\"required\":[\"fiscal_number\"]},{\"required\":[\"vat_number\"]}]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.metadata_policy", + "is present": "true" } ] } @@ -7059,8 +7392,8 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct iat type", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the iat claim in it is checked.", + "name": "Does the TA's metadata policy for an RP contain the jwks parameter", + "description": "In order to check the compliance of a metadata policy issued by the TA, an entity statement for an RP must be fetched in the TA's fetch endpoint. Once obtained the entity statement, the metadata_policy parameter is taken and the presence of the jwks parameter inside the openid_relying_party type is checked. It must contain the RP JWKS related to the OIDC Core operations", "type": "passive", "sessions": [ "s1" @@ -7071,20 +7404,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"iat\": { \"type\": \"integer\", \"minimum\": 0 } }, \"required\": [\"iat\"]}" - } - ] + "in": "payload", + "check": "$.jwks", + "is present": "true" } ] } @@ -7096,8 +7422,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued by a TA for public organization contain a correct type of 'ipa_code' claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the type of the value of the 'ipa_code' in the id_code claim is checked. It has to be a string", + "name": "Does Entity Statements issued by the TA contain the sub parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the sub parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7108,20 +7434,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"id_code\": {\"type\":\"object\", \"properties\": {\"ipa_code\": { \"type\":\"string\"}},\"required\":[\"ipa_code\"]}},\"required\":[\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.sub", + "is present": "true" } ] } @@ -7133,8 +7452,8 @@ }, { "test": { - "name": "Does the id_code claim of a Trust Mark issued for public organization contain the ipa_code claim", - "description": "In this test, a Trust Mark issued for a public entity must be taken, decrypted and the presence of the ipa_code in the id_code is checked", + "name": "Does Entity Statements issued by the TA contain the trust_marks parameter", + "description": "In order to check if the TA issues correct Entity statements, a request for an entity statement is made (HTTP GET request in the TA's fetch endpoint) and the response is analyzed. Therefore, the Entity Statement Payload contained in the response are base64url decoded, once obtained the decrypted Payload, the presence if the trust_marks parameter is checked", "type": "passive", "sessions": [ "s1" @@ -7145,20 +7464,13 @@ "decode operations": [ { "from": "body", + "decode param": "[^\\r\\n]*", "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ + "checks": [ { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": { \"id_code\": { \"type\": \"object\", \"properties\": {\"ipa_code\": {}},\"required\": [\"ipa_code\"]}},\"required\": [\"id_code\"]}" - } - ] + "in": "payload", + "check": "$.trust_marks", + "is present": "true" } ] } @@ -7170,34 +7482,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct logo_uri claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the logo_uri claim has to be an URL", + "name": "Does the entity configuration of a considered entity return a Federation Metadata in JOSE format when an HTTP GET request is made to its .well-known/openid-federation endpoint", + "description": "The considered entity must have published its entity configuration in the .well-known/openid-federation endpoint. So in this test, an HTTP GET request is made to the entity's .well-known/openid-federation endpoint (appended to the URL which identifies the entity) and the response is analyzed. This response has to be the entity configuration of the entity and therefore a Federation Metadata in JOSE format (Content-Type: application/entity-statement+jwt)", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"logo_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"logo_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7207,34 +7505,20 @@ }, { "test": { - "name": "Does the Trust Mark contain the correct type of organization_name claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the organization_name claim in it is checked.", + "name": "Does the Entity expose the resolve entity statement endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request containing the parameters 'sub', 'anchor' and 'type' is made to the entity's endpoint and an HTTP 200 OK response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Resolve Entity Statement response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type \": \u00a0\"object \", \"properties \": { \"organization_name \": { \"type \": \u00a0\"string \", \"enum \": [ \"private \", \u00a0\"public \"]}}, \"required \": [ \"organization_name \"]}" - } - ] - } - ] + "in": "body", + "check regex": "[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -7244,34 +7528,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct policy_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the policy_uri claim has to be an URL", + "name": "Does the Entity expose the entity listing endpoint", + "description": "In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Listing response", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"policy_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"policy_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -7281,34 +7551,20 @@ }, { "test": { - "name": "Does the Trust Mark contain an URL in the ref claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the type of the ref claim in it is checked.", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Statement response TA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{ \"type\": \"object\", \"properties\": { \"ref\": { \"type\": \"string\", \"format\": \"uri\" } }, \"required\": [\"ref\"] }" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7318,8 +7574,8 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct service_documentation claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the service_documentation has to be an URL", + "name": "Does the TA correctly release the Entity statements", + "description": "After a correct onboarding with the TA, it must publish the entity statement for the subordinate entity in its fetch endpoint. So, in this test, once correctly registered an Entity, an HTTP GET request is made to the TA's fetch endpoint, with the request containing the Entity identifier. The response is then checked and it must contain the subordinate entity's Entity Statement.", "type": "passive", "sessions": [ "s1" @@ -7327,25 +7583,11 @@ "operations": [ { "message type": "Entity Statement response TA RP", - "decode operations": [ + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"service_documentation\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"service_documentation\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7355,34 +7597,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct sub claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the sub claim has to be an URL", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA OP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"sub\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"sub\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7392,34 +7620,20 @@ }, { "test": { - "name": "Does the issued oauth_resource Trust Mark contain a correct tos_uri claim", - "description": "In this test, a Trust Mark issued for an AA (oauth_resource profile) must be taken, decrypted and the value of the tos_uri claim has to be an URL", + "name": "Does the Entity expose the fetch entity statement endpoint", + "description": "In order to check the presence and correctness of the fetch entity statement endpoint, an HTTP GET request containing the parameters 'iss' and 'sub' is made to the entity's endpoint and a response containing the resolved metadata for the entity in the request's sub claim is expected.", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Fetch Entity Statement response TA RP", + "checks": [ { - "from": "body", - "type": "jwt", - "decode regex": "[^\\r\\n]*", - "decode operations": [ - { - "from": "jwt payload", - "type": "jwt", - "decode param": "$.trust_marks[0].trust_mark", - "checks": [ - { - "in": "payload", - "check": "$", - "json schema compliant": "{\"type\": \"object\", \"properties\": {\"tos_uri\": {\"type\": \"string\", \"format\": \"uri-reference\"}}, \"required\": [\"tos_uri\"]}" - } - ] - } - ] + "in": "body", + "check regex": "([\\w=]+)\\.([\\w=]+)\\.([\\w\\-\\+\\/=]*)", + "is present": "true" } ] } @@ -7429,30 +7643,20 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the TA publish the federation public key history", + "description": "An HTTP Get request is made to the TA's /.well-known/openid-federation-jwks endpoint and the answer is analyzed", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA OP", - "decode operations": [ + "message type": "Public Keys History response", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.trust_marks[0].trust_mark.organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "in": "body", + "check regex": "\\[\\s*\"[^\"]*\"(?:,\\s*\"[^\"]*\")*\\s*\\]$", + "is present": "true" } ] } @@ -7462,30 +7666,21 @@ }, { "test": { - "name": "Does the Trust Mark contain a correct organization_type claim", - "description": "In this test, an issued Trust Mark must be taken, decrypted and the value of the organization_type claim is 'public' or 'private'", + "name": "Does the entity return a correct Content-Type in the EC response", + "description": "In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt", "type": "passive", "sessions": [ "s1" ], "operations": [ { - "message type": "Entity Statement response TA RP", - "decode operations": [ + "message type": "Entity Configuration response TA", + "checks": [ { - "from": "body", - "decode param": "[^\\r\\n]*", - "type": "jwt", - "checks": [ - { - "in": "payload", - "check": "$.organization_type", - "is in": [ - "public", - "private" - ] - } - ] + "in": "head", + "url decode": false, + "is": "application/entity-statement+jwt", + "check param": "Content-Type" } ] } diff --git a/testplans/spid-cie-oidc/testplan.csv b/testplans/spid-cie-oidc/testplan.csv index e9438de..a91666b 100644 --- a/testplans/spid-cie-oidc/testplan.csv +++ b/testplans/spid-cie-oidc/testplan.csv @@ -4,8 +4,6 @@ x,AA-Entity Configuration response-metadata-logo_uri-type,AA metadata,Entity Con x,AA-Entity Configuration response-metadata-op_policy_uri,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the op_policy_uri claim is in the AA metadata, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the AA metadata contain op_policy_uri claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the op_policy_uri claim in the 'openid_provider' entity type is checked,AA,,Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_provider.op_policy_uri,The AA Metadata of type 'openid_provider' MUST contain op_policy_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, x,AA-Entity Configuration response-metadata-op_policy_uri-type,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the op_policy_uri claim contains an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA metadata contain correct type op_policy_uri claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the op_policy_uri claim in the 'openid_provider' entity type is ""private""",AA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_provider | {""type"": ""object"",""properties"": {""op_policy_uri"": {""type"": ""string"",""format"": ""uri""}},""required"": [""op_policy_uri""]}",The AA Metadata of type 'openid_provider' MUST contain op_policy_uri as URL,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, x,AA-Entity Configuration response-metadata-resource-type,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the resource claim contains one or more https URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA metadata contain correct type resource claim,In this test the AA metadata in the AA Entity Configuration are taken and the value of the resource claim in the 'federation_entity' entity type is an HTTPS URL,AA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"": ""object"",""properties"": {""resource"": {""oneOf"": [{""type"": ""string"", ""format"": ""uri"", ""pattern"": ""^https://""},{""type"": ""array"",""items"": {""type"": ""string"", ""format"": ""uri"", ""pattern"": ""^https://""},""minItems"": 1}]}},""required"": [""resource""]}",The AA Metadata of type 'federation_entity' MUST contain resource,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-signature,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",AA,,Entity Configuration response | body | [^\r\n]* | X_key_AA,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-sub-value,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does entity configuration AA contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",AA,,Entity Configuration response | body | [^\r\n]* | payload | sub | X_key_AA,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, x,AA-Entity Configuration response-metadata-authorization_endpoint,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authorization_endpoint claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the authorization_endpoint claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the authorization_endpoint claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.authorization_endpoint,The AA Metadata of type 'oauth_authorization_server' MUST contain authorization_endpoint,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, x,AA-Entity Configuration response-metadata-contacts,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the contacts claim is present, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the contacts claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the contacts claim in the 'federation_entity' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The AA Metadata of type 'federation_entity' MUST contain contacts,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, x,AA-Entity Configuration response-metadata-dpop_signing_alg_values_supported-not_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the dpop_signing_alg_values_supported claim does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the AA metadata contain incorrect dpop_signing_alg_values_supported claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the dpop_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.dpop_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The AA Metadata of type 'oauth_authorization_server' MUST contain dpop_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, @@ -33,7 +31,12 @@ x,AA-Entity Configuration response-metadata-token_endpoint_auth_methods_supporte x,AA-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is present, not compliant if it is empty or is missing",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the AA metadata contain the token_endpoint_auth_signing_alg_values_supported claim,In this test the AA metadata in the AA Entity Configuration are taken and the presence of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked.,AA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported,The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, x,AA-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-not_supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim does not contain ['none', 'HS256', 'HS384', 'HS512'], not compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the AA metadata contain incorrect token_endpoint_auth_signing_alg_values_supported claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of | [""none"", ""HS256"", ""HS384"", ""HS512""]",The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, x,AA-Entity Configuration response-metadata-token_endpoint_auth_signing_alg_values_supported-supported,AA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the token_endpoint_auth_signing_alg_values_supported claim is 'one_of': ['RS256', 'RS512'], not compliant if it is empty or is missing",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the AA metadata contain correct token_endpoint_auth_signing_alg_values_supported claim,"In this test the AA metadata in the AA Entity Configuration are taken and the value of the token_endpoint_auth_signing_alg_values_supported claim in the 'oauth_authorization_server' entity type is checked to be 'one_of': ['RS256', 'RS512'].",AA,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.oauth_authorization_server.token_endpoint_auth_signing_alg_values_supported.one_of | [""RS256"", ""RS512""]",The AA Metadata of type 'oauth_authorization_server' MUST contain token_endpoint_auth_signing_alg_values_supported,SPID_CIE_OIDC#AA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_aa.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, -x,AA-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",AA,,"Entity Configuration response AA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, +x,ALL-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'",ALL,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata | {""type"": ""object"",""anyOf"": [{""required"": [""openid_relying_party""]},{""required"": [""openid_provider""]},{""required"": [""federation_entity""]},{""required"": [""oauth_authorization_server""]},{""required"": [""oauth_resource""]}],""properties"": {""openid_relying_party"":{""type"":""object""},""openid_provider"":{""type"":""object""},""federation_entity"":{""type"":""object""},""oauth_authorization_server"":{""type"":""object""},""oauth_resource"":{""type"":""object""}}, ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,P,passed, +x,ALL-Entity Configuration response-metadata-openid_relying_party-once,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', not compliant otherwise",JWT parameter not in,Wrong Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'",ALL,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata | openid_relying_party.*(\n.*)+""openid_relying_party""","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",,,,P,passed, +x,ALL-Entity Configuration response-metadata-openid_provider-once,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', not compliant otherwise",JWT parameter not in,Wrong Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'",ALL,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata | openid_provider.*(\n.*)+""openid_provider""","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",,,,P,passed, +x,ALL-Entity Configuration response-metadata-federation_entity-once,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', not compliant otherwise",JWT parameter not in,Wrong Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'",ALL,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata | federation_entity.*(\n.*)+""federation_entity""","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",,,,P,passed, +x,ALL-Entity Configuration response-metadata-oauth_authorization_server-once,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', not compliant otherwise",JWT parameter not in,Wrong Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'",ALL,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata | oauth_authorization_server.*(\n.*)+""oauth_authorization_server""","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",,,,P,passed, +x,ALL-Entity Configuration response-metadata-oauth_resource-once,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', not compliant otherwise",JWT parameter not in,Wrong Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'",ALL,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata | oauth_resource.*(\n.*)+""oauth_resource""","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",,,,P,passed, x,AA-Entity Configuration response-trust_marks,AA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the AA's entity configuration contain the trust_marks parameter,"To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.",AA,,Entity Configuration response | body | [^\r\n]* | payload | trust_marks,Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, x,AA-Entity Configuration response-trust_marks-type,AA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter present in the payload is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the AA's entity configuration contain a correct trust_marks parameter,"To accomplish this test, the Entity configuration of the AA is taken, the payload is decoded (Base64 encoding) and the type of the trust_marks parameter is checked. It must be an array",AA,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_marks"": {""type"": ""object"", ""additionalProperties"": {""type"": ""array""}}}, ""required"": [""trust_marks""]}",Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,AA non presente,not_applicable, o,ALL-Entity Configuration response-correct-content-type,,Entity Configuration response,Entity Configuration request,"Compliant if the Content-Type of the response is application/entity-statement+jwt, not compliant otherwise",HTTP parameter value_1,Correct Input,Entity Configuration response,Does the entity return a correct Content-Type in the EC response,In this test a correct request to the entity's /.well-known/openid-federation endpoint is made and the response is analyzed. It must have a Content-Type parameter set to application/entity-statement+jwt,ALL,,Entity Configuration response | head | Content-Type | application/entity-statement+jwt,,SPID_CIE_OIDC#Entity-Configuration-Response; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,,,,yes,"[""s1""]",E,,P,P,passed, @@ -134,8 +137,8 @@ o,OP-Authentication response-wrong-iss,Authentication Response to a request with x,OP-Authentication response-wrong-redirect-uri,Authentication Request's request parameter,Authentication Request's request parameter,Authentication Request with a wrong redirect_uri parameter in the JWT in the request parameter,"Compliant if the Authentication response is an HTTP 302 because of invalid_request, not compliant otherwise",JWT Response,Wrong Input,Authentication response,Does the OP refuse Authentication Request with a wrong redirect URI,"Once received an Authentication Request, an OP must check if the provided redirect URI matches one of the redirect uris in the RP metadata. To verify this behavior, an authentication request is sent to the OP with a wrong redirect URI in the JWT in the request parameter ",OP,Authentication request | url | request | payload | redirect_uri | https://www.example.com/ | X_key_RP,Authentication error response | head | 302 | head | invalid_request,The redirect_uri parameter in the Authentication Request must match one of the URLs given in the RP Metadata,SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.","Does the authorization server automatically redirect the user-agent to the invalid redirection URI (InvalidRedirect), Does the authorization server exactly match the full redirect uri (RedirectUriFullyMatched)","Reject redirect_uri not matching a registered redirect_uri, Reject redirect_uri when query parameter added, Reject redirect_uri when query parameter does not match",,,,,,TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Authentication response-wrong-signature,Authentication Response to a request with the request parameter with a wrong signature,Authentication Response to a request with the request parameter with a wrong signature,Authentication Request with the request parameter with a wrong signature in the URL,"Compliant if the Authentication response is an HTTP 302 because of unauthorized_client, not compliant otherwise",Signature JWT Response,Wrong Input,Authentication response,Does the OP refuse wrongly signed Authentication Requests,"This test aims to check if the OP correctly handles the signature of the Authentication request: once received the request, the JWT token must be split in its 3 parts (header, payload, signature), base64url decoded and the signature must be verified. In order to test if the OP really checks the signature, the Authentication request is intercepted before arriving to the OP and the signature is changed. If the OP grants the tokens anyway, than it did not check the signature.",OP,Authentication request | url | request | X_wrong_key,Authentication error response | head | 302 | head | unauthorized_client,"The Authorization request is initiated by the user that selects the OP for the authentication. The RP redirects the user to the Authorization Endpoint of the selected OP, including in the request the parameter request that is a signed JWT containing the Authorization Request.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Active,L,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,Is the JWT signature checked (IsSignatureChecked),,,T1_G,,,,TRUE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 302 invalid_request x,OP-Authentication response-wrong-user-credentials,Authentication response,Authentication response,"Authentication request with prompt set to ""consent login""","Compliant if the Authentication response is an HTTP 302 because access_denied, not compliant otherwise",/ manual: check flow,Wrong Input,Authentication response,Does the OP refuse wrong credentials,"In this test an authentication request with prompt set to 'consent login' is accomplished and, when the user credentials are requested, wrong ones are inserted. The response is then analyzed",OP,,,Lโ€™OP ha negato lโ€™accesso a causa di credenziali non valide o non adeguate al livello SPID richiesto,SPID_CIE_OIDC#Authentication-Endpoint; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#codici-di-errore,OIDC Core,Active,H,"If the message flow is interrupted due to an error, even without specifying the exact code, it's not a major issue.",,,,,,,,,,,yes,"[""s_CIE_wrong_credentials""]",E,Problema implementazione,F,F,failed,Ritorna 200 -x,OP-Entity Configuration response-signature,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",OP,,Entity Configuration response | body | [^\r\n]* | X_key_ALL,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Entity Configuration response-sub-value,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does entity configuration OP contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",OP,,Entity Configuration response | body | [^\r\n]* | payload | sub | X_url_OP,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, +x,ALL-Entity Configuration response-signature,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",ALL,,Entity Configuration response | body | [^\r\n]* | X_key_ALL,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,,P,P,passed - failed for TA,[TA] Signature non corretta +x,ALL-Entity Configuration response-sub-value,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does entity configuration OP contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",ALL,,Entity Configuration response | body | [^\r\n]* | payload | sub | X_url_ALL,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-authority_hints,OP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authority_hints parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the OP's entity configuration contain the authority_hints parameter,"To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the authority_hints parameter is checked",OP,,Entity Configuration response | body | [^\r\n]* | payload | authority_hints,Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-authority_hints-type,OP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the authority_hints parameter is present and is an array of URLs, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the OP's entity configuration contain a correct authority_hints parameter,"To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the authority_hints parameter is checked, it must be an array",OP,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""authority_hints"": {""type"": ""array""}}, ""required"": [""authority_hints""]}",Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-jwks,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'jwks' parameter in the OP metadata ('openid_provider' type) is present,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the jwks claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'jwks' parameter in the 'openid_provider' subclaim (metadata type) is checked,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.jwks,The OP metadata of type 'openid_provider' must contain the parameter 'jwks' or the parameter 'signed_jwks_uri',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.8, 1.3.9","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, @@ -208,7 +211,6 @@ x,OP-Entity Configuration response-metadata-userinfo_endpoint,OP Metadata,Entity x,OP-Entity Configuration response-metadata-userinfo_signing_alg_values_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'userinfo_signing_alg_values_supported' parameter in the OP metadata ('openid_provider' type) is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the userinfo_signing_alg_values_supported claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked.,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.userinfo_signing_alg_values_supported,The OP metadata of type 'openid_provider' must contain the parameter 'userinfo_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,"1.3.19, 1.5.3","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-userinfo_signing_alg_values_supported-not_supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_signing_alg_values_supported' parameter in the OP metadata ('openid_provider' type) does not contain ['none', 'HS256', 'HS384', 'HS512']. Not Compliant otherwise",JWT list parameter does not contain,Correct Input,Entity Configuration response,Does the OP metadata contain incorrect userinfo_signing_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.userinfo_signing_alg_values_supported | [""none"", ""HS256"", ""HS384"", ""HS512""]",The OP metadata of type 'openid_provider' must contain the parameter 'userinfo_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.19, 1.5.3","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-metadata-userinfo_signing_alg_values_supported-supported,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_signing_alg_values_supported' parameter in the OP metadata ('openid_provider' type) is ['RS256', 'RS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the OP metadata contain correct userinfo_signing_alg_values_supported claim in the openid_provider subclaim,"In this test the OP metadata are taken and the value of the 'userinfo_signing_alg_values_supported' parameter in the 'openid_provider' subclaim (metadata type) is ['RS256', 'RS512']",OP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.userinfo_signing_alg_values_supported[0] | [""RS256"", ""RS512""]",The OP metadata of type 'openid_provider' must contain the parameter 'userinfo_signing_alg_values_supported' and it must contain the signature algorithms,SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Mismatch of content,,,,,,"1.3.19, 1.5.3","external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""openid_relying_party"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,P,P,passed, -x,OP-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",OP,,"Entity Configuration response OP | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-signed_jwks_uri,OP Metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'signed_jwks_uri' parameter in the OP metadata ('openid_provider' type) is present,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the OP metadata contain the jwks or signed_jwks_uri claim in the openid_provider subclaim,In this test the OP metadata are taken and the presence of the 'jwks' or the 'signed_jwks_uri' parameter in the 'openid_provider' subclaim (metadata type) is checked. There must be at least one of the two,OP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_provider.signed_jwks_uri,The OP metadata of type 'openid_provider' must contain the parameter 'jwks' or the parameter 'signed_jwks_uri',SPID_CIE_OIDC#OP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_op.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,OP-Entity Configuration response-trust_marks,OP's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the OP's entity configuration contain the trust_marks parameter,"To accomplish this test, the Entity configuration of the OP is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks parameter is checked.",OP,,Entity Configuration response | body | [^\r\n]* | payload | trust_marks,Leaf and intermediate entities' Entity Configuration must have the 'authority_hints' and 'trust_marks' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Manca parametro trust_marks x,OP-Entity Configuration response-trust_marks-signature,Entity Configuration response containing a trust mark with wrong signature,Entity Configuration response,Entity Configuration response containing a trust mark with wrong signature,"Compliant if the OP responds with an HTTP 302 error and because of unauthorized_client, not compliant otherwise",/ manual: check signature,Wrong Input,Entity Configuration response,Does the OP validate the signature of the RP Trust Marks,"In order to verify if the OP validates the trust chain, the signature of the trust marks in the RP's Entity Configuration must be wrong. If the OP validates the request anyway, than it is not checking the Trust Mark signature and it is not compliant with the specifications",OP,,,The OP obtains the Entity Configuration of the RP and validates the signatures of Trust Mark that are recognized inside the Federation,SPID_CIE_OIDC#Metadata-Retrieval-OP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#openid-provider,OIDC Federation,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,Signature JWT Response (correct check-no) but the JWT is nested,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Ritorna 200 @@ -472,8 +474,6 @@ x,RP-Authentication request-scope-value,Authentication Request,Authentication re x,RP-Authentication request-url-client_id,Authentication Request,Authentication request,Trigger Authentication request,Compliant if the url contains the client_id parameter,HTTP parameter presence,Correct Input,Authentication request,Does the RP insert the client ID in the url of the request,In this test the Authentication Request is taken and the presence of the client_id parameter in the URL is checked,RP,,Authentication request | url | client_id,"The parameters client_id and response_type SHOULD be sent both as parameters in the HTTP request, and inside the request object.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, x,RP-Authentication request-url-response_type,Authentication Request,Authentication request,Trigger Authentication request,Compliant if the url contains the response_type parameter,HTTP parameter presence,Correct Input,Authentication request,Does the RP insert the response type in the url of the request,In this test the Authentication Request is taken and the presence of the response_type parameter in the URL is checked,RP,,Authentication request | url | response_type,"The parameters client_id and response_type SHOULD be sent both as parameters in the HTTP request, and inside the request object.",SPID_CIE_OIDC#Authorization-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,,,,no,"[""s1""]",E,,P,P,passed, x,RP-Authentication response-Entity_Statement-wrong-jwks,OP's Entity Configuration and TA's Entity Statement for the OP with a public key that differs from the one in the EC of the OP,Authentication response,Entity Statement response regarding the OP and with a wrong jwks parameter and Authentication request,"Compliant if the authentication response does not contain the code parameter, not compliant otherwise",/ manual: check signature,Wrong Input,Authentication response,Does the RP request the OP's Entity Statement to validate the OP's Entity Configuration,"In order to check if the RP verifies the OP's Entity Configuration with the keys sent in the ES, once the RP asks for the Entity Statement, the TA's Entity Statement in response could have a (wrong) public key that is different from the one that can be found in the OP's EC (ES keys should be wrong). After this, an authentication request with that OP is made and, if the response contains the code parameter, the RP is either using the public keys present in the Entity Configuration (not reliable) or not checking the signature at all.",RP,,,"For each EC of the OPs, the RP validates the signature by using the public key obtained in the Entity Statement released by the Trust Anchor.",SPID_CIE_OIDC#Metadata-Retrieval-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#relying-party,OIDC Federation,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"The test fails if a correct flow is accomplished by the RP. It is similar to JWT response (correct check-no) but since we are checking the RP's flow, we do not except an HTTP Error code",FALSE,,,no,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-signature,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",RP,,Entity Configuration response | body | [^\r\n]* | X_key_RP,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-sub-value,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does entity configuration RP contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",RP,,Entity Configuration response | body | [^\r\n]* | payload | sub | X_url_RP,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-Entity_Configuration-wrong-signature,Wrongly signed OP's Entity Configuration,Entity Configuration response,Entity Configuration response containing a wrongly-signed Entity Configuration,"Compliant if the Authentication response does not contain the code parameter, not compliant otherwise",/ manual: check signature,Wrong Input,Entity Configuration response,Does the RP check the signature in the OP Entity Configuration,"In order to check if the RP correctly verifies the signature of an OP's Entity Configuration and does not trust arbitrary OP, the latter sends as the Entity Configuration response a wrongly signed Entity Configuration and waits for the RP. After this an authentication request is sent and, if the response contains the code, the RP is not checking the authenticity of the EC",RP,,,"For each EC of the OPs, the RP validates the signature by using the public key obtained in the Entity Statement released by the Trust Anchor.",SPID_CIE_OIDC#Metadata-Retrieval-RP; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/trust_negotiation.html#relying-party,OIDC Federation,Active,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,,FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] code รจ presente x,RP-Entity Configuration response-metadata-client_id,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'client_id' parameter in the RP metadata ('openid_relying_party' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'client_id' parameter,In this test the RP metadata are taken and the presence of the 'client_id' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.client_id,The RP metadata of type 'openid_relying_party' must contain the parameter client_id and it must contain an HTTPS URL that uniquely identifies the RP,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-metadata-client_id-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'client_id' parameter in the RP metadata is an HTTPS URL, not Compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain correct type of 'client_id' parameter,In this test the RP metadata are taken and the value of the 'client_id' parameter is an HTTPS URL,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_relying_party | {""type"":""object"", ""properties"":{""client_id"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://""}},""required"":[""client_id""]}",The RP metadata of type 'openid_relying_party' must contain the parameter client_id and it must contain an HTTPS URL that uniquely identifies the RP,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,H,If the URL is not an HTTP there is a lack of security for transmitted data,,,,,,,,FALSE,x,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] HTTP non HTTPS @@ -515,7 +515,6 @@ x,RP-Entity Configuration response-metadata-userinfo_encrypted_response_enc-supp x,RP-Entity Configuration response-metadata-userinfo_signed_response_alg,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'userinfo_signed_response_alg' parameter in the RP metadata is present. Not Compliant otherwise,JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'userinfo_signed_response_alg' parameter,In this test the RP metadata are taken and the presence of the 'userinfo_signed_response_alg' parameter is checked.,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_signed_response_alg,The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-metadata-userinfo_signed_response_alg-not_supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_signed_response_alg' parameter in the RP metadata does not contain the values ['none', 'HS256', 'HS384', 'HS512']. Not Compliant otherwise",JWT parameter not in JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain incorrect 'userinfo_signed_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is checked. It must not contain the values ['none', 'HS256', 'HS384', 'HS512'].",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_signed_response_alg | [""none"", ""HS256"", ""HS384"", ""HS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-metadata-userinfo_signed_response_alg-supported,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'userinfo_signed_response_alg' parameter in the RP metadata is ['RS256', 'RS512']. Not Compliant otherwise",JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain correct 'userinfo_signed_response_alg' parameter,"In this test the RP metadata are taken and the value of the 'userinfo_signed_response_alg' parameter is ['RS256', 'RS512']",RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.userinfo_signed_response_alg | [""RS256"", ""RS512""]",The RP metadata of type 'openid_relying_party' must contain the parameter userinfo_signed_response_alg and it has to contain the signature algorithms,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, -x,RP-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",RP,,"Entity Configuration response RP | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-response_types,RP metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'response_types' parameter in the RP metadata ('openid_relying_party' type) is present, not Compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the RP metadata contain the 'response_types' parameter,In this test the RP metadata are taken and the presence of the 'response_types' parameter in the 'openid_relying_party' metadata type is checked,RP,,Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.response_types,The RP metadata of type 'openid_relying_party' must contain the parameter response_types and it has to be a JSON array containing the value 'code',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-response_types-type,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'response_types' parameter in the RP metadata is a JSON Array. Not Compliant otherwise,JWT parameter type,Correct Input,Entity Configuration response,Does the RP metadata contain the 'response_types' parameter as a json,In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' is a JSON array,RP,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.openid_relying_party | {""type"": ""object"", ""properties"": {""response_types"": {""type"": ""array""}}, ""required"": [""response_types""]}",The RP metadata of type 'openid_relying_party' must contain the parameter response_types and it has to be a JSON array containing the value 'code',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,RP-Entity Configuration response-response_types-value,RP metadata,Entity Configuration response,Trigger Entity Configuration response,Compliant if the 'response_types' parameter in the RP metadata contains the value 'code'. Not Compliant otherwise,JWT parameter JSON value,Correct Input,Entity Configuration response,Does the RP metadata contain in the 'response_types' the value 'code',In this test the RP metadata are taken and the 'response_types' parameter in the 'openid_relying_party' contains the value 'code',RP,,"Entity Configuration response | body | [^\r\n]* | payload | metadata.openid_relying_party.response_types[0] | [""code""]",The RP metadata of type 'openid_relying_party' must contain the parameter response_types and it has to be a JSON array containing the value 'code',SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Core,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, @@ -569,8 +568,6 @@ x,RP-User logout-token-revocation,User's logout,Revocation request,Trigger User x,RP-Userinfo request-access-token,RP's UserInfo request,Userinfo request,Trigger Userinfo request,"Compliant if the the authorization field in the header of the UserInfo Request contains an Access Token, not compliant otherwise",HTTP parameter presence,Correct Input,Userinfo request,Does the RP contain the Access Token in the UserInfo request,The UserInfo request from the RP is taken and analyzed. In the Authorization field of the header there must be an Access Token,RP,,UserInfo request | head | Authorization,"In order to obtain the requested claims, the RP sends a request to the UserInfo Endpoint using the Access Token",SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,M,Missing parameter,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,RP-Userinfo request-access-token-valid,RP's UserInfo request,Userinfo request,Trigger Userinfo request,"Compliant if the authorization field in the header of the UserInfo Request contains a valid Access Token (JWT), not compliant otherwise",HTTP parameter type,Correct Input,Userinfo request,Does the RP contain a valid Access Token in the UserInfo request,The UserInfo request from the RP is taken and analyzed. In the Authorization field of the head there must be a valid Access Token,RP,,UserInfo request | head | Authorization:\s?Bearer\s?([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*),"In order to obtain the requested claims, the RP sends a request to the UserInfo Endpoint using the Access Token",SPID_CIE_OIDC#UserInfo-Endpoint-Request; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#request,OIDC Core,Passive,L,Type mismatch,,,,,,,,FALSE,x,,no,"[""s1""]",E,,P,P,passed, x,SA-Entity Configuration response-metadata-logo_uri-type,SA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the TA metadata contain correct type logo_uri claim,In this test the SA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file,SA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://.*\\.svg$""}},""required"":[""logo_uri""]}",The SA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-signature,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",SA,,Entity Configuration response | body | [^\r\n]* | X_key_SA,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-sub-value,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does entity configuration SA contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",SA,,Entity Configuration response | body | [^\r\n]* | payload | sub | X_url_SA,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Configuration response-metadata-contacts,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'contacts' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the contacts parameter,In this test the SA metadata are taken and the presence of the 'contacts' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.contacts,The TA and SA metadata must contain the parameter contacts,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Configuration response-metadata-federation_fetch_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_fetch_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_fetch_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_fetch_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_fetch_endpoint,The TA and SA metadata must contain the parameter federation_fetch_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Configuration response-metadata-federation_list_endpoint,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'federation_list_endpoint' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the federation_list_endpoint parameter,In this test the SA metadata are taken and the presence of the 'federation_list_endpoint' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.federation_list_endpoint,The TA and SA metadata must contain the parameter federation_list_endpoint,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, @@ -580,7 +577,6 @@ x,SA-Entity Configuration response-metadata-homepage_uri,SA's metadata,Entity Co x,SA-Entity Configuration response-metadata-logo_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'logo_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the logo_uri parameter,In this test the SA metadata are taken and the presence of the 'logo_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.logo_uri,The TA and SA metadata must contain the parameter logo_uri and it must be in SVG format,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Configuration response-metadata-organization_name,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'organization_name' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the organization_name parameter,In this test the SA metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The TA and SA metadata must contain the parameter organization_name,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Configuration response-metadata-policy_uri,SA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the SA contains the 'federation_entity' type in the metadata and it contains the 'policy_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the SA's metadata contain the policy_uri parameter,In this test the SA metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.,SA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The TA and SA metadata must contain the parameter policy_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, -x,SA-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SA,,"Entity Configuration response SA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Configuration response-trust_marks,SA's entity configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'trust_marks' parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does the entity configuration of the SA contain the trust marks,"The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the metadata in the response are analyzed. Among them, the 'trust_marks' parameter must be present.",SA,,Entity Configuration response | body | [^\r\n]* | payload | trust_marks,"The RP, OP or SA must include the trust marks in the entity configuration as a result of the onboarding process",SPID_CIE_OIDC#entity-configuration-leaves-and-intermediaries; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Configuration response-trust_marks-type,SA's entity configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the 'trust_marks' parameter is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the entity configuration of the SA contain a correct trust_marks parameter,"The entity configuration of the SA is taken from its own web endpoint '.well-known/openid-federation', and the configuration metadata are analyzed. Among them, the 'trust_marks' parameter must be present and must be a JSON array containing the Trust Marks.",SA,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_marks"": {""type"": ""object"", ""additionalProperties"": {""type"": ""array""}}}, ""required"": [""trust_marks""]}","The RP, OP or SA must include the trust marks in the entity configuration as a result of the onboarding process",SPID_CIE_OIDC#entity-configuration-leaves-and-intermediaries; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-foglia-e-intermediari,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, x,SA-Entity Listing endpoint response-exposed,Entity Listing endpoint response,Entity Listing endpoint response,Trigger Entity Listing endpoint response,"Compliant if the Response contains a JSON list (array), not compliant otherwise",HTTP parameter type,Correct Input,Entity Listing endpoint response,Does the Entity expose the entity listing endpoint,"In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request entity's endpoint. An HTTP 200 OK response containing a JSON list with the known Entity Identifiers is expected",SA,,"Entity Listing response | body | [^\r\n]*.^\{(\s*""[^""]*""\s*:\s*(?:""[^""]*"",?|\[[^\r\n]*\],?|\{[^\r\n]*\},?)\s*)*\}$",This test simply checks if the entity exposes the /.well-known/openid-federation endpoint and if it,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,Messaggio non presente,N_A,SA non presente,not_applicable, @@ -705,9 +701,6 @@ x,TA-Entity Configuration response-metadata-logo_uri,TA's metadata,Entity Config x,TA-Entity Configuration response-metadata-logo_uri-type,TA metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the logo_uri claim is an URL, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the TA metadata contain correct type logo_uri claim,In this test the TA metadata in the TA Entity Configuration are taken and the value of the logo_uri claim in the 'federation_entity' entity type is an URL with an .svg file,TA,,"Entity Configuration response | body | [^\n\r]* | payload | .metadata.federation_entity | {""type"":""object"", ""properties"":{""logo_uri"":{""type"":""string"", ""format"":""uri"", ""pattern"":""^https://.*\\.svg$""}},""required"":[""logo_uri""]}",The TA Metadata of type 'federation_entity' MUST contain logo_uri,SPID_CIE_OIDC#RP-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_rp.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,,F,failed,HTTP non HTTPS x,TA-Entity Configuration response-metadata-organization_name,TA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'organization_name' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the Entity's metadata contain the organization_name parameter,In this test the Entity metadata are taken and the presence of the 'organization_name' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.organization_name,The TA and SA metadata must contain the parameter organization_name,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,1.3.27,"external tests from spid-oidc-check-op have an implementation issue: in those tests the presence of the claims is directly in the ""Metadata"" parameter of the document. In CIE federation instead, in the metadata paramter there are two subclaims ( ""federation_entity"" and ""openid_relying_party"") and the claims that the tests checks are in the ""federation_entity"" subclaim. (For details see coverage.md)",TRUE,x,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro organization_name x,TA-Entity Configuration response-metadata-policy_uri,TA's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the TA contains the 'federation_entity' type in the metadata and it contains the 'policy_uri' parameter, not compliant otherwise",JWT parameter JSON presence,Correct Input,Entity Configuration response,Does the Entity's metadata contain the policy_uri parameter,In this test the Entity metadata are taken and the presence of the 'policy_uri' parameter inside the 'federation_entity' metadata type is checked.,TA,,Entity Configuration response | body | [^\r\n]* | payload | metadata.federation_entity.policy_uri,The TA and SA metadata must contain the parameter policy_uri,SPID_CIE_OIDC#TA-and-SA-Metadata; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/metadata_oidc_ta_sa.html,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,F,P,passed,[PRIMA] Manca parametro policy_uri -x,TA-Entity Configuration response-metadata-value,Entity's Entity Configuration's metadata,Entity Configuration response,Trigger Entity Configuration response,"Compliant if each key in metadata is present only once and is a value between 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer', not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does the metadata parameter contain only allowed types and only once for each,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the metadata parameter is analyzed. This must be a JSON object with each key representing a type of metadata. These types cannot be repeated and must be a value among the following: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",TA,,"Entity Configuration response TA | body | [^\n\r]* | payload | .metadata | {""type"": ""object"", ""properties"": { ""openid_relying_party"": { ""type"": ""object"" }, ""openid_provider"": { ""type"": ""object"" }, ""federation_entity"": { ""type"": ""object"" }, ""oauth_authorization_server"": { ""type"": ""object"" }, ""oauth_resource"": { ""type"": ""object"" }, ""trust_mark_issuer"": { ""type"": ""object"" } }, ""required"": [""openid_relying_party"", ""openid_provider"", ""federation_entity"", ""oauth_authorization_server"", ""oauth_resource"", ""trust_mark_issuer""], ""additionalProperties"": false}","Allowed metadata types are: 'openid_relying_party', 'openid_provider', 'federation_entity', 'oauth_authorization_server', 'oauth_resource', 'trust_mark_issuer'",SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Presence of wrong parameter,,,,,,,,FALSE,,,no,"[""s1""]",E,,F,P,passed,[PRIMA] There is only: federation_entity -x,TA-Entity Configuration response-signature,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the signature is correct, not compliant otherwise",JWT signature check,Correct Input,Entity Configuration response,Does the entity correctly sign the Entity Configuration,"To accomplish this test, the Entity configuration of the interested entity is taken and the three parts of the JWT (header, payload and signature) are base64url decoded. Finally, the signature is validated passing the public key (n, e of jwks parameter that must be taken from the Entity Statement of a superior), the JWS Signature (received signature base64url decoded) and the JWS signing input (header and payload base64url encoded and concatenated with a dot dividing them) to a signature verifier configured for the algorithm described in the Entity Configuration Header",TA,,Entity Configuration response | body | [^\r\n]* | X_key_TA,Entity Configurations must be signed,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#,OIDC Federation,Passive,H,An inaccurate signature poses challenges in maintaining confidentiality and integrity.,,,,,,,"JOSE format can be JWS or JWE, we assume it to be JWS in this case",FALSE,,,yes,"[""s1""]",E,Problema implementazione,F,F,failed,[SAME] Signature non corretta -x,TA-Entity Configuration response-sub-value,Entity's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the sub parameter is equal to the iss claim, not compliant otherwise",JWT parameter values,Correct Input,Entity Configuration response,Does entity configuration TA contain a correct sub parameter,"To accomplish this test, the Entity configuration of the interested entity is taken, the payload is decoded (Base64 encoding) and the sub parameter is checked. Its value must be equal to the one in the iss parameter",TA,,Entity Configuration response | body | [^\r\n]* | payload | sub | X_url_TA,The sub parameter is required in the Entity Configuration of all the entities,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-claim-comuni,OIDC Federation,Passive,M,Mismatch of content,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Configuration response-trust_marks_issuers,TA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_marks_issuers parameter is present, not compliant otherwise",JWT parameter presence,Correct Input,Entity Configuration response,Does TA's Entity configuration contain the trust_marks_issuers parameter,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the presence of the trust_marks_issuers parameter is checked",TA,,Entity Configuration response | body | [^\r\n]* | payload | trust_mark_issuers,TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,M,Missing parameter,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Configuration response-trust_mark_issuers-type,TA's Entity Configuration,Entity Configuration response,Trigger Entity Configuration response,"Compliant if the trust_mark_issuers parameter is a JSON array, not compliant otherwise",JWT parameter type,Correct Input,Entity Configuration response,Does TA's Entity configuration's trust_mark_issuers parameter contain a JSON Array,"To accomplish this test, the Entity configuration of the TA is taken, the payload is decoded (Base64 encoding) and the trust_mark_issuers parameter must be a JSON Array.",TA,,"Entity Configuration response | body | [^\r\n]* | payload | | {""type"": ""object"", ""properties"": {""trust_mark_issuers"": {""type"": ""object"", ""additionalProperties"": {""type"": ""array""}}}, ""required"": [""trust_mark_issuers""]}",TA's Entity Configuration must have the 'constraints' and 'trust_marks_issuers' parameters,SPID_CIE_OIDC#Entity-Configuration; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/entity_configuration.html#entity-configuration-trust-anchor,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,yes,"[""s1""]",E,,P,P,passed, x,TA-Entity Listing endpoint response-exposed,Entity Listing endpoint response,Entity Listing endpoint response,Trigger Entity Listing endpoint response,"Compliant if the response contains a JSON list, not compliant otherwise",HTTP parameter type,Correct Input,Entity Listing endpoint response,Does the Entity expose the entity listing endpoint,"In order to check the presence and correctness of the resolve entity statement endpoint, an HTTP GET request to the entity's endpoint is done. A response containing a JSON list with the known Entity Identifiers is expected",TA,,"Entity Listing response | body | \[\s*""[^""]*""(?:,\s*""[^""]*"")*\s*\]$",This test simply checks if the entity exposes the /.well-known/openid-federation endpoint and if it,SPID_CIE_OIDC#federation-endpoints; https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/federation_endpoint.html,OIDC Federation,Passive,L,Type mismatch,,,,,,,,FALSE,,,no,"[""s1""]",E,Manuali da definire per la prossima versione,N_A,N_A,not_applicable,Entity Listing response diff --git a/tools/testplan-to-mr/testplan-to-mr.py b/tools/testplan-to-mr/testplan-to-mr.py index 7ceaf3c..b10a41f 100644 --- a/tools/testplan-to-mr/testplan-to-mr.py +++ b/tools/testplan-to-mr/testplan-to-mr.py @@ -273,14 +273,13 @@ def createJson(table: pd.DataFrame, pattern: str, entity: str) -> list: log_value.warning(f'Values missing in table {temp} for Pattern: {row["Pattern name"]} and UID: {row["UID"]}') #print a test suite for each row if not ALL - if row['Entity under test'] != 'ALL': - t = [] - t.append(template) - singleSuite = {"test suite":{"name":"Single test" , "description":"One test only" ,"filter messages": True}, "tests":t} - json_objects = json.dumps(singleSuite, indent = 2) - _create_if_not_exist(join(OUT_DIR_SINGLE, row["Entity under test"])) - with open(os.path.join(wd, OUT_DIR_SINGLE+'/'+row['Entity under test'], f'{row["UID"]}.json'), 'w') as outfile: - outfile.write(json_objects) + t = [] + t.append(template) + singleSuite = {"test suite":{"name":"Single test" , "description":"One test only" ,"filter messages": True}, "tests":t} + json_objects = json.dumps(singleSuite, indent = 2) + _create_if_not_exist(join(OUT_DIR_SINGLE, entity)) + with open(os.path.join(wd, OUT_DIR_SINGLE+'/'+entity, f'{row["UID"]}.json'), 'w') as outfile: + outfile.write(json_objects) tests.append(template) From 68dc4c554cb1c7dbcd7c5944e932779154b24860 Mon Sep 17 00:00:00 2001 From: marche271 Date: Wed, 10 Apr 2024 13:06:53 +0200 Subject: [PATCH 5/5] Removed test --- ...ntication response-prompt-consent-SSO.json | 79 ------------------- 1 file changed, 79 deletions(-) delete mode 100644 testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/tbcheck/[NON ESISTE] OP-Authentication response-prompt-consent-SSO.json diff --git a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/tbcheck/[NON ESISTE] OP-Authentication response-prompt-consent-SSO.json b/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/tbcheck/[NON ESISTE] OP-Authentication response-prompt-consent-SSO.json deleted file mode 100644 index 7284ed9..0000000 --- a/testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/tbcheck/[NON ESISTE] OP-Authentication response-prompt-consent-SSO.json +++ /dev/null @@ -1,79 +0,0 @@ -//Non trovo questo test -{ - "test": { - "name": "Does the OP correctly handles the prompt parameter set to \"consent\" in the case of SSO", - "description": "In the case of the prompt parameter set to consent in an authentication request, the OP has to verify if a SSO session is active and, in this case, it should consent the request. In order to verify this behavior, an authentication request with the prompt parameter set to consent while such a session is active is accomplished and the action of the OP verified. It should not show a login page, automatically authenticating the user. (a SSO session can be simulated by performing a first authentication without a logout and then another authentication request. In both authentication set the prompt parameter to consent login)", - "type": "active", - "sessions": [ - "s1", - "s1-logout" - ], - "operations": [ - { - "session": "s1-logout", - "action": "start" - }, - { - "action": "intercept", - "from session": "s1-logout", - "then": "forward", - "message type": "Authentication request", - "decode operations": [ - { - "from": "url", - "type": "jwt", - "encodings": [], - "decode param": "(?